Missed Questions - CompTIA Sec+

Gary is reviewing his system's SSH logs and sees logins for the user named "Gary" with passwords like: password1, password2...PassworD. What type of attacks has Gary discoverd? A. A dictionary attack B. A rainbow table attack C. A pass-the-hash attack D. A password spraying attack

A. A dictionary attack will use a set of likely passwords along with common variants of those passwords to try to break into an account. Repeated logins for a single userID with iterations of various passwords is likely a dictionary attack. A rainbow table is used to match a hashed password with the password that was hashed to that value. A pass-the-hash provides a captured authentication hash to try to act like an authorized user. A password spraying attack uses a known password (often from a breach) for many different sites to try to log into them.

Precompiled SQL statements that only require variables to be input are an example of what type of application security control? A. Parameterized queries B. encoding data C. Input Validation D. Appropriate access controls

A. A parameterized query (sometimes called a prepare statement) uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query rather than building a custom query when the application needs data. Encoding data helps to prevent cross-site scripting attacks, as does input validation. Appropriate access controls can prevent access to data that the account or application should not have access to, but they don't use precompiled SQL statements. Stored procedures are an example of a parameterized query implementation. 사전 컴파일된 SQL 문장을 사용하여 SQL 쿼리를 작성할 때, 매개변수화된 쿼리를 사용하여 변수가 입력되도록 할 수 있습니다. 이렇게 하면 사용자 입력이 직접 SQL 문장에 삽입되는 것을 방지하고 SQL 인젝션 공격을 예방할 수 있습니다. 따라서 "Parameterized queries" (매개변수화된 쿼리)는 애플리케이션 보안 컨트롤 중 하나로 사용자 입력 데이터를 안전하게 처리하는 데 사용됩니다.

Bart knows that there are two common connection methods between Wi-Fi devices. Which of the following best describes ad hoc mode? A. Point-to-point B. NFC C. Point-to-multipoint D. RFID

A. Ad hoc networks work without an access point. Instead, devices directly connect to each other in a point-to-point fashion. Infrastructure mode Wi-Fi networks use a point-to-multipoint model. Ad hoc mode는 무선 네트워크에서 사용되는 연결 모드 중 하나입니다. 이 모드에서 무선 장치 간에 직접 통신이 이루어집니다. 즉, 무선 장치가 서로 통신할 수 있으며 중간에 라우터 또는 액세스 포인트를 사용하지 않습니다. 이 모드는 일종의 "페어링"이나 "점대점" 연결을 나타냅니다. 다른 옵션들: B. NFC (Near Field Communication)는 무선 통신 기술이지만 Wi-Fi 연결 모드와 직접 관련되어 있지 않습니다. C. Point-to-multipoint 모드는 하나의 무선 장치가 여러 다른 무선 장치와 통신하는 모드를 나타냅니다. D. RFID (Radio-Frequency Identification)는 무선 기술이지만 Wi-Fi 연결 모드와 직접 관련되어 있지 않습니다.

Which one of the following statements about the cryptographic key is incorrect? A. all cryptographic keys should be kept secret B. Longer keys are better than shorter keys when the same algorithm is used C. Asymmetric algorithms generally use longer keys than symmetric algorithms D. Digital certificates are designed to share public keys

A. All of these statements are correct except for the statement that all cryptographic keys should be kept secret. The exception to this rule are public keys used in asymmetric cryptography. These keys should be freely shared.

What is the key difference between hashing and 'checksum'? A. Both can validate integrity, but a hash also provides a unique digital fingerprint B. A gash can be revered, and a checksum cannot be C. Checksums provide greater security than hashing D. Checksums have fewer message collisions than a hash

A. Although both a 'checksum' and a has can be used to validate message integrity, a hash has fewer collisions than a checksum and will also provide a unique fingerprint for a file. Checksums are primarily used as a quick means of checking that that integrity is maintained, whereas hashes are used for many other purposes such as secure password validation without retaining the original password. A checksum would not be useful for providing a forensic image was identical, but it could be used to ensure that your work had not changed the content of the drive. 둘 다 무결성을 검증할 수 있지만, 해시는 고유한 디지털 지문을 제공합니다. 설명: 해싱과 체크섬 모두 데이터의 무결성을 검증하는 데 사용될 수 있습니다. 그러나 해싱은 입력 데이터에 대해 고유한 고정 길이의 출력 값을 생성하여 데이터의 고유한 디지털 지문을 제공합니다. 이로써 데이터의 손상 여부나 변경 여부를 더욱 신뢰할 수 있게 만듭니다. 반면 체크섬은 단순히 데이터의 일부 합계 또는 체크섬 값으로 데이터의 무결성을 확인하는 데 사용되며, 이 값은 고유한 디지털 지문을 제공하지 않습니다.

Amanda notices traffic between her systems and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting? A. Command and control B. A hijacked web browser C. A RAT D. A worm

A. Amanda has most likely discovered a botnet's command-and-control (C&C) channel, and the system or systems she is monitoring are probably using IRC as the C&C channel. - IRC (Internet Relay Chat): frequently used to manage client-server botnets A RAT is more likely to use a different control channel, worms spread by attacking vulnerable services, and a hijacked web browser would probably operate on common HTTP or HTTPS ports (80/443). TCP 포트 6667은 일반적으로 Command and Control (C2) 서버와의 통신에 사용되며, 악성 소프트웨어가 제어 서버와 통신하여 공격자에게 제어 및 명령을 수신하는 데 사용됩니다. 따라서 Amanda가 이 포트에서의 트래픽을 감지한 경우, 시스템이 악성 C2 서버와 통신하는 것으로 의심할 수 있습니다.

Michelle wants to ensure that attackers who breach her network security perimeter cannot gain control of the systems that run the industrial processes her organization uses as part of their business. What type of solution is best suited for this? A. An air gap B. A Faraday Cage C. A Cold aisle D. A screened subnet

A. An airgap is a physical separation of devices. By implementing an air gap, Michelle can ensure that devices cannot be accessed via the network, thus preventing intruders who have breached her network perimeter security from accessing the industrial control systems she is responsible for securing. Faraday cage stops electromagnetic signals and emissions (EMI), a cold aisle is the air-conditioned aisle in a datacenter where cold air is pulled into systems, and a screened subnet is where systems that deal with untrusted traffic are placed. 에어 갭은 네트워크와 산업 프로세스 시스템 사이에 물리적인 분리를 생성하는 방법입니다. 이것은 완전히 두 시스템을 격리시키고 네트워크 공격자가 산업 프로세스 시스템에 액세스할 수 없도록 하는 가장 높은 수준의 보안을 제공합니다. B. A Faraday Cage (페라디 케이지)는 전자 기기의 전자기 민감성을 차단하기 위한 물리적 보호 장치입니다. C. A Cold aisle (콜드 아일)은 데이터 센터 냉각을 위한 용어로, 산업 프로세스 보안과는 관련이 없습니다. D. A screened subnet (스크린된 서브넷)은 네트워크 보안과 관련이 있지만, 에어 갭과는 다른 보안 레벨을 나타내며, 에어 갭의 고립 수준보다 낮을 수 있습니다.

What term best describes an organization's desired security state? A. Control objectives B. Security priorities C. Strategic goals D. Best practices

A. As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and system. They express these requirements by writing the control objectives that the organization wishes to achieve. These control objectives are statements of a desired security state. "제어 목표"는 조직이 원하는 보안 상태를 나타내는 용어입니다. 이것은 조직이 설정한 특정 보안 조치나 제어 절차에 대한 목표를 의미합니다. 제어 목표는 조직이 보안을 유지하고 개선하기 위해 사용하는 구체적인 목표 및 기준을 제시합니다. 이 목표들은 조직의 보안 정책과 프로세스를 지원하며, 원하는 보안 상태를 달성하는 데 도움이 됩니다.

Henry wants to use an open source forensic suite. Which of the following tools should he select? A. Autopsy B. EnCase C. FTK D. WinHex

A. Autopsy is the only open source forensic suite on this list. Both Encase and FTK are commercial tools, and WinHex is also a commercial tool but is not forensic suite. Autopsy는 오픈 소스 포렌식 도구로, 디스크 이미징, 파일 검색 및 분석, 복구 등 다양한 포렌식 기능을 제공합니다. Autopsy는 무료로 사용할 수 있으며, 오픈 소스 커뮤니티에 의해 개발 및 유지보수되고 있어 포렌식 분석 작업에 유용한 도구 중 하나입니다. EnCase, FTK 및 WinHex는 상용 포렌식 도구로서 Autopsy와 비교하여 비용이 발생하고 있으므로 오픈 소스 도구를 선호하는 경우 Autopsy가 좋은 선택입니다.

James is concerned about preventing broadcast storms on his network. Which of the following solutions is not a useful method of preventing broadcast storms on his network? A. Disable ARP on all accessible ports B. Enable Spanning Tree protocol C. Enable loop protect features on switches D. Limit size of VLANs

A. Broadcast storms occur when broadcast packets are received and retransmitted by switches in a network, amplifying the traffic and causing heavy traffic loads. Spanning tree protocol, loop prevention features, and limited VLAN sizes can all reduce the potential for a broadcast storm. Disabling ARP on a network is not a recommended solution for a TCP/IP network. 브로드캐스트 스톰을 방지하는 데 ARP를 비활성화하는 것은 일반적으로 현실적이지 않습니다. ARP(Address Resolution Protocol)은 네트워크에서 IP 주소를 물리적 MAC 주소로 매핑하는 데 필요한 프로토콜입니다. ARP를 비활성화하면 네트워크의 정상적인 동작이 방해되므로 브로드캐스트 스톰 방지에 적합하지 않습니다. B, C 및 D는 브로드캐스트 스톰을 방지하기 위해 일반적으로 사용되는 방법입니다. Spanning Tree 프로토콜을 활성화하고 스위치에서 루프 보호 기능을 활성화하면 루프와 관련된 문제를 감지하고 방지할 수 있습니다. 또한 VLAN 크기 제한은 VLAN 내에서 브로드캐스트 도메인의 크기를 제한하여 스톰 확산을 방지하는 데 도움이 될 수 있습니다.

Amanda wants to securely destroy data held on DVDs. Which of the following options is not a suitable solution for this? A. Degaussing B. Burning C. Pulverizing D. Shredding

A. Degaussing only works on magnetic media, and DVDs are optical media. Amanda could burn, pulverize, or even shred the DVDs to ensure that data is properly destroyed.

Ursula would like to link the networks in her on-premises datacenter with cloud VPCs in a secure manner. What technology would help her best achieve this goal? A. Transit gateway B. HSM C. VPC endpoint D. SWG

A. Cloud providers offer VPC endpoints that allow the connection of VPCs to each other using the cloud provider's secure network backbone. Cloud Transit gateway extend this model even further, allowing the direct interconnection of cloud VPCs with on-premises VLANs for hybrid cloud operations. Secure web gateways (SWG) provide a layer of application security for cloud-dependent organizations. Hardware security module (HSM) are special purpose computing devices that manage encryption keys and also perform cryptographic operations in a highly efficient manner. Transit gateway는 여러 VPC 및 온프레미스 네트워크와의 연결을 관리하고 중앙 집중식 네트워크 허브 역할을 수행하는 클라우드 서비스입니다. 이를 통해 여러 VPC 및 온프레미스 네트워크 간의 효율적인 연결 및 트래픽 라우팅을 구성할 수 있습니다. B. HSM (하드웨어 보안 모듈): HSM은 암호화 키 관리와 보안 기능을 제공하는 하드웨어 장치로, 네트워크 연결에 직접 관련이 있지는 않습니다. C. VPC endpoint (VPC 엔드포인트): VPC endpoint는 AWS 내에서 서비스에 안전하게 연결하기 위한 방법을 제공하는 AWS의 기능 중 하나이며, 온프레미스 데이터 센터와의 연결을 위한 기술은 아닙니다. D. SWG (Secure Web Gateway): SWG는 웹 트래픽을 검사하고 보호하기 위한 보안 솔루션으로, 데이터 센터와 클라우드 VPC 간의 연결과 직접적인 관련이 없습니다.

Brian would like to limit the ability of users inside his organization to provision expensive cloud server instances without permission. what type of control would best help him achieve this goal? A. Resource policy B. Security group C. Multifactor authentication D. Secure web gateway

A. Cloud providers offer resource policies that customers may use to limit the actions that users of their accounts may take. Implementing resource policies is a good security practices to limit the damage caused by an accidental command, a compromised account, or a malicious insider. 리소스 정책은 클라우드 환경에서 리소스에 대한 액세스 및 사용을 제어하기 위한 정책을 설정하는 데 사용됩니다. Brian은 비싼 클라우드 서버 인스턴스에 대한 프로비저닝을 제어하려면 이러한 리소스에 대한 액세스를 제한하는 리소스 정책을 구성할 수 있습니다. B. Security group (보안 그룹): 보안 그룹은 네트워크 트래픽 및 포트에 대한 액세스 규칙을 정의하여 인스턴스의 네트워크 보안을 관리하는 데 사용됩니다. C. Multifactor authentication (다중 인증): 다중 인증은 사용자가 로그인할 때 여러 인증 요소를 제공해야 하는 보안 메커니즘입니다. D. Secure web gateway (안전한 웹 게이트웨이): 안전한 웹 게이트웨이는 웹 트래픽을 검사하고 보호하기 위한 보안 솔루션입니다.

Tim is a software developer who creates code for sale to the public. He would like to assure his users that the code they receive actually came from him. What technique can he use to best provide this assurance? A. Code signing B. Code endorsement C. Code Encryption D. Code obfuscation

A. Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals. 코드 서명은 소프트웨어 개발자가 코드의 원본을 인증하는 기술입니다. 개발자는 코드를 서명하여 디지털 서명을 생성하고, 사용자는 이 디지털 서명을 사용하여 코드가 개발자로부터 왔음을 검증할 수 있습니다. 이를 통해 코드의 무결성과 출처를 확인할 수 있으며, 코드 변경이나 위조를 탐지하는 데 도움이 됩니다

Ryan is selecting a new security control to meet his organization's objectives. He would like to use it in their multicloud environment and would like to minimize the administrative work required from his fellow technologists. What approach would best meet his needs? A. Third-party control B. Internally developed control C. Cloud-native control D. Any of the above

A. Controls offered by cloud service providers have the advantage of direct integration with the provider's offerings, often making them cost-effective and user-friendly. Third-party solutions are often more costly, but they bring the advantage of integrating with a variety of cloud providers, facilitating the management of multicloud environments.

Jeff is concerned about the effects that a ransomware attack might have on his organization and is designing a backup methodology that would allow the organization to quickly restore data after such an attack. What type of control is Jeff implementing? A. Corrective B. Preventive C. Detective D. Deterrent

A. Corrective controls remediate security issues that have already occurred. Restoring backups after ransomware attack is an example of a corrective control.

What technique is used to ensure that DNSSEC-protected DNS information is trustworthy? A. It is digitally signed B. It is sent via TLS C. It is encrypted using AES256 D. It is sent via an IPSec VPN

A. DNSSEC does not encrypt data but does rely on digital signatures to ensure that DNS information has not been modified and that it is coming from a server that the domain owners trusts. DNSSEC does not protect confidentiality, which is a key thing to remember when discussing it as a security option. TLS, and IPSec VPN, or encrypted via AES are all potential solutions to protect the confidentiality of network data. DNSSEC (Domain Name System Security Extensions)은 DNS 정보의 무결성과 인증을 보장하기 위한 보안 확장 기술입니다. DNSSEC를 사용하면 DNS 레코드가 디지털 서명되므로 DNS 정보가 신뢰할 수 있음을 보증할 수 있습니다. 이 디지털 서명은 DNS 데이터의 무결성을 검증하고 DNS 정보의 변조나 위조를 방지하는 데 사용됩니다. 다른 옵션들: B. It is sent via TLS: DNSSEC는 DNS 정보의 보안을 담당하며, TLS (Transport Layer Security)는 다른 프로토콜의 통신을 보안하는 데 사용됩니다. DNSSEC와 TLS는 서로 다른 보안 레이어를 나타냅니다. C. It is encrypted using AES256: DNSSEC는 데이터의 무결성을 검증하는 데 사용되며, 데이터의 암호화에는 AES256과 같은 암호화 알고리즘이 사용될 수 있지만, DNSSEC의 주요 목적은 무결성을 보장하는 것입니다. D. It is sent via an IPSec VPN: DNSSEC는 DNS 정보의 무결성을 검증하기 위한 메커니즘으로, IPSec VPN은 네트워크 통신의 안전한 터널링을 제공하는 데 사용됩니다. DNSSEC와 IPSec VPN은 서로 다른 보안 레이어를 나타냅니다.

What term is used to describe tools focused on detecting and responding to suspicious activities occurring on endpoints like desktops, laptops, and mobile devices? A. EDR B. IAM C. FDE D. ESC

A. Endpoint detection and response (EDR) systems provide monitoring, detection, and response capabilities for systems. EDR systems capture data from endpoints and send it to a central repository, where it can be analyzed for issues and indicators of compromise or used for incident response activities. IAM is identity and access management, FDE is full-disk encryption, and ESC is not a commonly used security acronym. EDR (Endpoint Detection and Response): EDR은 엔드포인트 디바이스에서 발생하는 의심스러운 활동을 탐지하고 대응하는 데 중점을 둔 보안 도구입니다. 이러한 도구들은 악성 소프트웨어의 탐지, 침입 감지, 이상 징후 탐지 등을 포함하여 엔드포인트 보안을 강화하는 데 사용됩니다. B. IAM (Identity and Access Management): IAM은 사용자의 신원 관리 및 액세스 제어를 위한 도구와 프로세스를 의미합니다. 사용자가 시스템 및 리소스에 대한 권한을 관리하고 제어함으로써 보안을 강화합니다. C. FDE (Full Disk Encryption): FDE는 전체 디스크 암호화를 나타내며, 컴퓨터 또는 디바이스의 전체 디스크를 암호화하여 데이터 보안을 제공합니다. 데이터가 저장된 디스크가 분실되거나 도난당해도 데이터를 안전하게 보호할 수 있습니다. D. ESC (Electronic Stability Control): ESC는 자동차 안전 기술 중 하나로, 차량의 운전 상태를 모니터링하고 필요한 경우 브레이크나 엔진 출력을 조절하여 스핀이나 미끄러짐을 방지하는 역할을 합니다. 이것은 자동차 안전과 관련된 기술로서, 엔드포인트 보안과는 직접적인 관련이 없습니다. 따라서 의심스러운 활동을 감지하고 대응하는 데 중점을 둔 도구는 "A. EDR (Endpoint Detection and Response)"입니다.

Michael wants to acquire the firmware from a running device for analysis. What method is most likely to succeed? A. Use forensic memory acquisition techniques B. Use disk forensic acquisition techniques C. Remove the firmware chip from the system D. Shut down the system and boot to the firmware to copy it to a removable device.

A. Firmware can be challenging to access, but both memory forensic techniques and direct hardware interface access are viable means in some cases. Firmware is not typically stored on the disk and instead is stored in a BIOS or UEFI Chip. Removing the chip from the system will leave it unable to run and thus this is not a preferred method. Also, many chips are not removable. Shutting down the device and booting it to the firmware does not provide a means of copying the firmware for most devices. Although the firmware is likely to allow updates, most do not allow downloads or copying.

PM Questions Which of these protocols use TLS to provide secure communication? (Select TWO) ❍ A. HTTPS ❍ B. SSH ❍ C. FTPS ❍ D. SNMPv2 ❍ E. DNSSEC ❍ F. SRTP

A. HTTPS and C. FTPS TLS (Transport Layer Security) is a cryptographic protocol used to encrypt network communication. HTTPS is the Hypertext Transfer Protocol over TLS, and FTPS is the File Transfer Protocol over TLS. An earlier version of TLS is SSL (Secure Sockets Layer). Although we don't commonly see SSL in use any longer, you may see TLS communication referenced as SSL. Incorrect Answers B. SSH SSH (Secure Shell) can use symmetric or asymmetric encryption, but those ciphers are not associated with TLS. D. SNMPv2 SNMPv2 (Simple Network Management Protocol version 2) does not implement TLS, or any encryption, within the network communication. E. DNSSEC DNSSEC (DNS security extensions) do not provide any confidentiality of data. F. SRTP SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP) protocol used for encrypting conversations. SRTP protocol commonly uses AES (Advanced Encryption Standard) for confidentiality.

Darren is working with an independent auditor to produce an audit report that he will share with his customers under NDA to demonstrate that he has appropriate security controls in place. The auditor will not be assessing the effectiveness of those controls. What type of audit report should Darren expect? A. SOC 2 Type 1 B. SOC 2 Type 2 C. SOC 3 Type 1 D. SOC 3 Type 2

A. The fact that the auditor will not be assessing the effectiveness of the controls means that this is a Type 1 report. The fact that it will be shared only under NDA means that it is a SOC 2 assessment.

What type of security solution provides a hardware platform for the storage and management of encryption keys? A. HSM B. IPS C. SIEM D. SOAR

A. Hardware security module (HSM) provides an effective way to manage encryption keys. These hardware devices store and manage encryption keys in a secure manner that prevents humans from ever needing to work directly with the keys. HSM은 Hardware Security Module의 약어로, 암호화 키와 암호화 작업을 안전하게 저장하고 관리하는 데 사용되는 하드웨어 기반 보안 솔루션입니다. HSM은 보안 강화, 키 관리, 암호화 및 복호화 작업, 디지털 서명 생성 등의 작업을 수행하는 데 사용됩니다. 주로 민감한 데이터 및 키를 보호하고 암호화를 위한 안전한 환경을 제공하는 데 활용됩니다.

Which of the following refers to the contents of a rainbow table entry? A. Hash/Password B. IP address/Domain name C. Username/Password D. Account name/Hash

A. Hash/Password The contents of a rainbow table entry typically consist of a hash value and its corresponding plaintext password. A rainbow table is a precomputed table that stores pairs of hashes and their corresponding passwords to speed up password cracking attempts. The goal is to look up a hash in the table and find the associated plaintext password without having to perform the hash calculation for each potential password. So, option A, "Hash/Password," is the correct answer in this context.

Ed wants to trick a user into connecting to his evil twin access point. What type of attack should he conduct to increase his chances of the user connecting to it? A. A dissociation attack B. An application denial-of-service attack C. A known plain-text attack D. A network denial-of-service attack

A. If Ed can cause his target to disassociate from the access point they are currently connected to, he can use a higher transmission power or closer access point to appear higher in the list of access points. If he is successful at fooling the user or system into connecting to his AP, he can then conduct man-in-the-middle attacks or attacks or attempt other exploits. Denial-of-service attacks are unlikely to cause a system to associate with another AP, and a known plain-text attack is a type of cryptographic attack and is not useful for this type of attempt.

Which of the following threat actors typically has the greatest access to resources? A. Nation-state actors B. Organized crime C. Hacktivists D. Insider threats

A. Nation-state actors are government-sponsored, and they typically have the greatest access to resources, including tools, money, and talent.

Elaine wants to implement an AAA system. Which of the following is an AAA system she could implement? A. RADIUS B. SAML C. OAuth D. LDAP

A. Of all the listed options, only RADIUS is an authentication, authorization, and accounting (AAA) service - SAML: Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. - OAuth: OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. - LDAP: The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network. - RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. Elaine이 AAA (인증, 권한 부여, 회계) 시스템을 구현하려면 RADIUS (Remote Authentication Dial-In User Service)를 선택할 수 있습니다. RADIUS는 네트워크 인프라에서 사용자 인증 및 권한 부여를 처리하며, 널리 사용되는 AAA 프로토콜 중 하나입니다. RADIUS는 주로 네트워크 장비와 함께 사용되어 사용자가 네트워크에 안전하게 접근할 수 있도록 합니다.

Which of the following is not a typical reason to use an IP addressing schema in an enterprise? A. Avoiding use of other organizations' IP addresses B. Avoiding IP address exhaustion in a subnet C. Asset and system inventory D. Consistency of practice with gateway and other IP addresses

A. Organization should use IP addresses that are specifically allocated to the organization of that are RFC 1918 addresses that are non-Internet routable. That means that an addressing scheme should not be necessary to avoid using another organization's IP addresses. IP address schemas are commonly used to avoid IP address exhaustion when working in a subnet. The same tracking means that they are helpful when conducting asset and system inventory, since they help match a device on the network to a known physical system. Finally, consistently using the same IP address for default gateways and other common network components means that support staff do not have to learn unique configurations in each location or network

Which one of the following statements is not true about compensating controls under PCI DSS? A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement B. Controls must meet the intent of the original requirement C. Controls must meet the rigor of the original requirement D. Compensating controls must provide a similar level of defense as the original requirement

A. PCI DSS compensating controls must be "above and beyond" other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

What does an SSL stripping attack look for to perform an on-path attack? A. An unencrypted HTTP connection B. A DNS query that is not protected by DNSSEC C. An un protected ARP request D. All of the above

A. The original implementation of SSL stripping attacks relied heavily on unencrypted HTTP connections, and the updated version of SSLStrip+ continues to leverage HTTP connections, and then adds the ability to rewrite HTTPS links to HTTP links, allowing it even greater access to unencrypted links. DNSSEC and ARP are not involved in this technique.

Which of the following technologies is the least effective means of preventing shared accounts? A. Password complexity requirements B. Requiring biometric authentication C. Requiring one-time passwords via a token D. Requiring a one-time password via an application

A. Password complexity requirements do not prevent sharing of complex passwords, making it the least effective option from the list. Biometric authentication measures will require the enrolled user to be there, although in some cases such as fingerprint systems, multiple users could each enroll a valid fingerprint for a single account. both type of one-time passwords could be shared but make it harder and less convenient to share accounts.

Which one of the following servers is almost always an offline CA in a large PKI deployment? A. Root CA B. Intermediate CA C. RA D. Internal CA

A. Root CAs are highly protected and not normally used for certificate issuance. A root CA is usually run as an offline CA that delegates authority to intermediate CAs that run as online CAs. 대규모 PKI 배포에서 루트 CA는 거의 항상 오프라인에서 운영됩니다. 루트 CA는 최상위 CA로써 루트 인증서의 개인 키를 보호하고, 다른 중간 CA에 대한 신뢰 체인을 구축하는 역할을 합니다. 이러한 중요한 역할로 인해 루트 CA의 개인 키는 물리적으로 보호되는 보안 장치에 저장되고 오프라인으로 유지됩니다. 이렇게 함으로써 루트 CA의 개인 키를 보호하고, 보안을 강화하며, 키의 안전성을 유지할 수 있습니다. 중간 CA (Intermediate CA)는 주로 온라인에서 운영되며 루트 CA와 실제 통신하며 CA 계층 구조에서 루트 CA와 사용자 간에 위치합니다. RA (Registration Authority)는 인증서 발급 및 관리 프로세스를 지원하며, Internal CA (내부 CA)는 조직 내에서 사용되는 인증서를 발급하는 데 사용됩니다.

Brian has deployed a system that monitors sensors and uses that data to manage the power distribution for the power company that he works for. Which of the following terms is commonly used to describe this type of control and monitoring solution? A. SCADA B. AVAD C. SIM D. HVAC

A. SCADA (Supervisory control and data acquisition) is a system architecture that combines data acquisition and control devices with communications methods and interfaces to oversee complex industrial and manufacturing processes, just like those used in utilities. A SIM (Subscriber identity module) is the small card used to identify cell phones; HVAC stands for heating, ventilation, and air-conditioning; and AVAD was made up for this question.

Daniel knows that WPA3 has added a method to ensure that brute-force attacks against weak preshared keys are less likely to succeed. What is this technology called? A. SAE B. CCMP C. PSK D. WPS

A. Simultaneous Authentication of Equals (SAE) is used to establish a secure peering environment and to protect session traffic. Since the process requires additional cryptographic steps, it causes brute-force attacks to be much slower and thus less likely to succeed while also providing more security than WPA2's preshared key (PSK) mode. WPS is Wi-Fi Protected Setup, a quick setup capability; CCMP is the encryption mode used for WPA2 networks. WPA3 moves to 128-bit encryption for Personal mode and can support 1920bit encryption in Enterprise mode. WPA3 (Wi-Fi Protected Access 3)는 강력한 보안을 제공하기 위해 개발된 Wi-Fi 보안 프로토콜입니다. SAE (Simultaneous Authentication of Equals)는 WPA3에서 사용되는 기술 중 하나로, 사전 공유 키 (PSK) 공격에 대한 방어를 향상시키는 데 사용됩니다. SAE는 강력한 키 핸드셰이크 프로토콜을 제공하여 더 안전한 PSK를 생성하고 인증하는 데 도움이 됩니다. 다른 옵션들: B. CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol): CCMP는 Wi-Fi에서 데이터 암호화와 무결성 검사를 제공하는 프로토콜로, WPA2와 WPA3에서 사용됩니다. C. PSK (Preshared Key): PSK는 Wi-Fi 네트워크의 사전 공유된 암호화 키를 나타내며, WPA2와 WPA3에서 사용됩니다. D. WPS (Wi-Fi Protected Setup): WPS는 Wi-Fi 네트워크에 새로운 디바이스를 쉽게 연결하기 위한 간단한 설정 메커니즘입니다. 그러나 WPS는 보안 취약점으로 알려져 있어 사용을 지양하는 것이 좋습니다.

Tina is tuning her organization's intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing? A. Technical Control B. Physical Control C. Managerial Control D. Operational Control

A. Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption. 티나가 거짓 양성 경고를 방지하기 위해 침입 방지 시스템을 조정하고 있다면, 그녀는 기술적 제어를 구현하고 있습니다. 기술적 제어는 기술적인 조치나 설정을 통해 보안 문제를 해결하거나 관리하는 것을 의미합니다. 침입 방지 시스템의 설정을 조정하여 거짓 양성 경고를 최소화하려는 것은 기술적 조치입니다. 따라서 올바른 답은 A. 기술적 제어입니다.

Nick wants to display the ARP cache for a Windows system. What command should he run to display the cache? A. arp /a B. arp -d C. showarp D. arpcache -show

A. The "arp" command will show the system's ARP cache using the /a flag on Windows systems. Other flags are /d to delete the cache or single address if one is supplied, and /s which will allow you to add an entry. In most cases, security professionals will use the /a flag most frequently to see what exists in an ARP cache on a system. Windows에서 ARP(주소 해상도 프로토콜) 캐시를 표시하려면 "arp /a" 명령을 사용합니다. 이 명령은 현재 시스템의 ARP 테이블을 나열하고 관련된 정보를 표시합니다. B. "arp -d"는 ARP 캐시 항목을 삭제하는 데 사용됩니다. C. "showarp" 및 "arpcache -show"는 Windows의 기본 명령이 아닙니다.

Greg would like to find a reference document that describes how to map cloud security controls to different regulatory standards. What document would best assist with this task? A. CSA CCM B. NIST SP 500-292 C. ISO 27001 D. PCI DSS

A. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards. NIST SP 500-292 is a reference model for cloud computing and operates at a high level. ISO 27001 is a general standard for cybersecurity, and PCI DSS is a regulatory requirement for organization involved in processing credit card transaction. CSA CCM은 클라우드 보안 컨트롤을 정의하고 다양한 규제 표준과 연결하는 데 도움이 되는 중요한 자원 중 하나입니다. 이 문서는 클라우드 보안에 관한 전반적인 가이드라인을 제공하고, 다양한 규제 표준과의 매핑을 지원합니다. B. NIST SP 500-292 (NIST Special Publication 500-292)은 NIST에서 제공하는 클라우드 보안에 관한 자료이지만, 특히 클라우드 보안 컨트롤을 규제 표준과의 매핑에 중점을 두는 것은 아닙니다. C. ISO 27001 및 PCI DSS는 각각 정보 보안 및 신용 카드 데이터 보안과 관련된 규제 표준이지만, 직접 클라우드 보안 컨트롤과의 매핑을 다루지는 않습니다.

Elle is implementing a VoIP telephony system and wants to use secure protocols. If she has already implemented SIPS, which other protocol is she most likely to use? A. SRTP B. UDP/S C. S/MIME D. SFTP

A. The Secure Real-Time Transfer Protocol is used for media streaming in many VoIP implementations. UDP/S is not an actual protocol, S/MIME is used for email, and SFTP is a replacement for FTP and is not typically associated with VoIP systems. Elle가 VoIP 통신 시스템을 구현하고 안전한 프로토콜을 사용하려고 한다면 SIPS(SIP Secure)를 이미 구현했으므로 음성 통화 데이터의 보안을 위해 SRTP(Secure Real-time Transport Protocol)를 사용하는 것이 일반적입니다. SRTP는 VoIP 및 음성 통화 트래픽을 안전하게 전송하기 위한 표준 프로토콜입니다. SRTP는 민감한 음성 데이터의 기밀성과 무결성을 보호하기 위해 사용됩니다. 다른 옵션들: B. UDP/S: UDP (User Datagram Protocol)는 IP 통신에서 데이터를 전송하는 데 사용되는 프로토콜이며, S는 일반적으로 Secure Socket Layer (SSL)을 나타냅니다. UDP/S는 일반적으로 VoIP 통신에 사용되지 않습니다. C. S/MIME: S/MIME (Secure/Multipurpose Internet Mail Extensions)은 이메일 통신의 보안을 위한 프로토콜이며, 음성 통화 시스템에 직접 관련되지 않습니다. D. SFTP: SFTP (SSH File Transfer Protocol)는 파일 전송을 위한 안전한 프로토콜이며, 음성 통화 시스템과는 관련이 없습니다.

Tony is reviewing the status of his organization's defenses against a breach of their file server. He believes that a compromise of the file server could reveal information that would prevent the company from continuing to do business. What term best describes the risk that Tony is considering? A. Strategic B. Reputational C. Financial D. Operational

A. The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk. - Reputational risk: negative publicity surrounding a security breach - Financial risk: the risk of monetary damage resulting from breach - Operational risk: risk to carry out its day-to-day function, 토니가 고려하고 있는 위험은 조직의 전략적 측면에 영향을 미칠 수 있는 위험이며, 회사가 사업을 계속할 수 있는 능력에 영향을 미칠 수 있습니다. 이러한 경우, 전략적 위험이라고 부릅니다. 파일 서버의 침해로 인해 중요한 비즈니스 정보가 노출될 경우, 회사의 경쟁력, 평판, 그리고 재무적인 상태 등에 부정적인 영향을 미칠 수 있습니다. 따라서 올바른 답은 A. 전략적입니다.

Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. http://www.mycompany.com/servicestatus.php?serviceID=1 http://www.mycompany.com/servicestatus.php?serviceID=2 http://www.mycompany.com/servicestatus.php?serviceID=3 http://www.mycompany.com/servicestatus.php?serviceID=4 http://www.mycompany.com/servicestatus.php?serviceID=5 http://www.mycompany.com/servicestatus.php?serviceID=6 What type of vulnerability was the attacker likely trying to exploit? A. Insecure direct object reference B. File upload C. Unvalidated redirect D. Session hijacking

A. The series of thousands of requests incrementing a variable indicate that the attacker was most likely attempting to exploit an insecure direct object reference - Insecure direct object reference vulnerability: If the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority. 공격자는 서비스 ID 값을 순차적으로 증가시키며 동일한 URL에 대한 다수의 요청을 보내고 있습니다. 이러한 유형의 공격은 주로 "Insecure direct object reference" 또는 "보안이 취약한 직접 객체 참조" 공격으로 알려져 있습니다. 공격자는 서버에서 예상치 않은 데이터 또는 리소스에 액세스하려고 시도하며, 이를 통해 민감한 정보에 대한 무단 액세스 또는 다른 보안 문제를 유발할 수 있습니다.

Wanda is responsible for a series of seismic sensors placed at remote locations. These sensors have low-bandwidth connections and she would like to place computing power on the sensors to allow them to preprocess data before it is sent back to the cloud. What term best describes this approach? A. Edge computing B. Client-server computing C. Fog computing D. thin client computing

A. This approach ay be described as a client-server computing, but that is a general term that describes many different operating environment. The better term to use here is edge computing, which involved placing compute power at the client to allow it to perform preprocessing before sending data back to the cloud. Fog computing is a related concept that uses IoT gateway devices that are located in close physical proximity to the sensors. 이 접근 방식은 센서나 장치와 가까운 지점에서 데이터를 사전 처리하고, 클라우드로 보내기 전에 중앙 데이터 센터로 데이터를 보내는 것보다 효율적인 방식을 제공합니다. Edge computing은 저대역 네트워크와 같은 환경에서 특히 유용합니다. B. Client-server computing (클라이언트-서버 컴퓨팅)은 클라이언트와 서버 간의 전통적인 컴퓨팅 모델을 나타냅니다. C. Fog computing (포그 컴퓨팅)은 클라우드 컴퓨팅과 엣지 컴퓨팅 사이의 중간 지점에서 데이터 처리 및 분석을 수행하는 컴퓨팅 모델을 나타냅니다. D. Thin client computing (씬 클라이언트 컴퓨팅)은 주로 네트워크로 연결된 중앙 서버에서 컴퓨팅 리소스를 공유하는 모델을 나타냅니다.

Which one of the following data protection techniques is reversible when conducted properly? A. Tokenization B. Masking C. Hashing D. Shredding

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that cannot be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys the data so that it may not be recovered. 토큰화는 데이터 보호 기술 중에서 역으로 복원 가능한 기술입니다. 토큰화는 민감한 데이터를 원본 값 대신에 고유한 토큰으로 대체하는 프로세스를 나타냅니다. 이 고유한 토큰은 원본 데이터를 식별할 수 없으며, 원본 데이터에 대한 참조 역시 끊어지기 때문에 보안이 강화됩니다. 그러나 필요한 경우에는 토큰을 사용하여 원본 데이터로 다시 복원할 수 있습니다. 이러한 특성으로 인해 토큰화는 역으로 복원 가능한 데이터 보호 기술로 사용됩니다. 따라서 정답은 A. 토큰화(Tokenization)입니다.

Which of the following controls helps prevent insider threats? A. Two-person control B. Visitor log C. Air gaps D. Reception desks and staff

A. Two-person control is specifically intended to prevent insider threats by requiring two individuals to take given action. Visitor logs help determine who may have been admitted to a facility but would not stop an insider threat. Air gaps protect from network-based attacks, but an insider can bypass the air gap intentionally. Reception staff allow insiders into a facility if they are permitted to enter, which will not stop an insider threat either.

Which one of the following virtualization models provides the highest level of efficiency? A. Type I hypervisor B. Type II hypervisor C. Type III hypervisor D. Type IV hypervisor

A. Type I Hypervisor, also know as a bare metal hypervisors, run the hypervisor directly on top of the physical hardware, without requiring a host operating system. Type II hypervisors require a host operating system, which reduces efficiency. Type III and IV hypervisor do not exist. 가상화 모델 중에서 가장 효율적인 것은 "Type I 하이퍼바이저"입니다. Type I 하이퍼바이저는 직접 하드웨어 위에 설치되어 가상 머신을 실행합니다. 이로써 하드웨어 자원을 직접 관리하고 물리적 머신에 가깝게 가상 머신을 실행할 수 있으므로 효율적이고 높은 성능을 제공합니다. 반면에 "Type II 하이퍼바이저"는 호스트 운영 체제 위에서 실행되며 추가 오버헤드가 발생할 수 있습니다. "Type III 하이퍼바이저" 및 "Type IV 하이퍼바이저"는 일반적으로 클라이언트 머신에서 실행되며, 주로 개발 및 테스트 목적으로 사용되며 효율성이 떨어질 수 있습니다.

Naomi wants to deploy a tool that can allow her to scale horizontally while also allowing her to patch systems without interfering with traffic to her web servers. What type of technology should she deploy? A. A load balancer B. NIC teaming C. Geographic diversity D. A multipath network

A. a load balancer will fit Naomi's needs perfectly. Load balancers can spread traffic across multiple systems while allowing specific systems to be added or removed from the service pools in use. NIC teaming is used to increase bandwidth or to provide multiple network connections to a system, geographic diversity helps ensure that a single disaster impacting an organization cannot take the organization offline, and a multipath network prevents the disruption of a single network path from causing an outage. Naomi가 웹 서버의 확장과 시스템 패치를 관리하려면 로드 밸런서를 사용할 수 있습니다. 로드 밸런서는 트래픽을 여러 서버로 분산하여 수평 확장을 지원하고, 시스템 패치 및 유지 관리 작업을 수행할 때 서비스 중단을 최소화할 수 있도록 도와줍니다. 다른 옵션들은 다른 용도로 사용되는 기술이며, 이 문제의 상황과 관련이 없습니다. B. NIC teaming (NIC 팀핑)은 네트워크 인터페이스 카드의 묶음을 만들어 대역폭을 확장하고 내결함성을 제공하는 데 사용됩니다. C. Geographic diversity (지리적 다양성)은 재해 복구 및 가용성을 향상시키기 위해 여러 지역에 서버나 데이터 센터를 배치하는 것과 관련이 있습니다. D. Multipath network (다중 경로 네트워크)는 네트워크 연결의 중복 경로를 활용하여 가용성을 높이는 데 사용됩니다.

What type of NAC will provide Isaac with the greatest amount of information about the systems that are connecting while also giving him the most amount of control of systems and their potential impact on other systems that are connected to the network? A. Agent-based, pre-admission NAC B. Agentless, post-admission NAC C. Agent-based NAC, post-admission NAC D. Agent-based, post-admission NAC

A. agent-based, pre-admission NAC will provide Isaac with the greatest amount of information about a machine and the most control about what connects to the network and what can impact other systems. Since systems will not be connected to the network, even to a quarantine or pre-admission zone, until they have been verified, Isaac will have greater control. Isaac가 시스템 연결에 대한 최대 정보와 시스템 및 다른 연결된 시스템에 미치는 영향을 제어하기를 원한다면, "Agent-based, pre-admission NAC (Network Access Control)"을 사용해야 합니다. 이 유형의 NAC는 다음과 같은 특징을 갖습니다: Agent-based: 시스템에 에이전트(클라이언트 소프트웨어)를 설치하여 시스템의 속성 및 보안 상태를 수집합니다. 에이전트는 네트워크 연결 이전에 사용자 및 시스템을 평가하는 데 사용됩니다. Pre-admission: 연결을 허용하기 전에 클라이언트 시스템을 평가하고 인증하는 데 사용됩니다. 시스템의 보안 상태, 패치 수준, 백신 소프트웨어 상태 등을 확인하여 네트워크 접근을 제어합니다. 최대 제어: 클라이언트 시스템의 보안 상태를 검사하고 조치를 취할 수 있으므로 다른 시스템에 미치는 영향을 제어할 수 있습니다. 필요한 경우 연결을 차단하거나 격리할 수 있습니다. 다른 옵션들: Agentless, post-admission NAC (옵션 B): 에이전트를 설치하지 않고 연결을 허용한 후에 연결된 시스템을 평가하는 NAC입니다. 연결 후에 제어가 덜 강력하며 미리 평가하지 않습니다. Agent-based NAC, post-admission NAC (옵션 C): 에이전트를 설치하고 연결을 허용한 후에도 계속해서 시스템을 평가하는 NAC입니다. Agent-based, post-admission NAC (옵션 D): 에이전트를 설치하고 연결을 허용한 후에만 시스템을 평가하는 NAC입니다. 연결 후에만 시스템 상태를 확인하며, 연결 전에는 적용되지 않습니다.

When Mike receives the digitally signed message from David, what key should he use to verify the digital signature? A. David's public key B. David's private key C. Mike's public key D. Mike's private key

A. the recipient of a digitally signed message may verify the digital signature by decrypting it with the public key of the individual who signed the message. 디지털 서명을 확인할 때는 메시지를 서명한 송신자의 공개 키를 사용합니다. 따라서 Mike은 David의 공개 키를 사용하여 디지털 서명을 확인합니다. 공개 키를 사용하면 디지털 서명의 유효성을 확인할 수 있고, 메시지가 송신자에 의해 서명되었음을 인증할 수 있습니다. 디지털 서명을 확인하려면 송신자의 공개 키가 필요하며, 따라서 David의 공개 키가 사용됩니다. David의 개인 키는 서명 생성에 사용되고, 이 개인 키는 송신자만이 알고 있어야 합니다.

Bonita has discovered that her organization is running a service on TCP port 636. What secure protocol is most likely in use? A. LDAPS B. IMAPS C. SRTP D. SNMPv3

A. the secure version of LDAP runs on TCP port 636. IMAPS runs on 993, SRTP runs on UDP 5004, and SNMPv3 runs on the standard UDP 161 and 162 ports used for all versions of the protocol. TCP 포트 636은 LDAPS (Lightweight Directory Access Protocol over TLS/SSL)를 위해 주로 사용됩니다. LDAPS는 LDAP 프로토콜을 사용하여 디렉터리 정보에 안전한 액세스를 제공하기 위해 TLS/SSL 암호화를 사용하는 프로토콜입니다. 따라서 TCP 포트 636을 사용하는 서비스는 LDAP 서비스의 보안 버전인 LDAPS일 가능성이 높습니다. B. IMAPS (Internet Message Access Protocol over TLS/SSL)는 이메일 클라이언트와 메일 서버 간의 통신을 보호하기 위해 사용되는 프로토콜로, 일반적으로 TCP 포트 993을 사용합니다. C. SRTP (Secure Real-time Transport Protocol)는 음성 및 비디오 통신을 위한 안전한 프로토콜이며, UDP를 주로 사용합니다. D. SNMPv3 (Simple Network Management Protocol version 3)은 네트워크 장비 관리를 위한 프로토콜로, 주로 UDP 포트 161 및 162를 사용합니다.

Tony purchases virtual machines from Microsoft Azure and uses them exclusively for use by his organization. What model of cloud computing is this? A. Public cloud B. Private cloud C. Hybrid cloud D. Community Cloud

A. this is an example of public cloud computing because Tony is using a public cloud provider, MS Azure. The fact that Tony is limiting access to virtual machines to his own organization is not relevant because the determining factor for the cloud model is whether the underlying infrastructure is shared, not whether virtualized resources are shared.

Cynthia wants to make an exact copy of a drive using a Linux command-line tool. What command should she use? A. df B. cp C. dd D. ln

B. 'dd' is a copying and conversion command for Linux and can be used to create a forensic image that can be validated using an MD4sum or SHA1 hash. The other commands are 'df' for disk usage, 'cp' for copying files, and 'ln' to link files. Cynthia가 Linux 명령줄 도구를 사용하여 드라이브의 정확한 복사본을 만들고 싶다면 "dd" 명령을 사용해야 합니다. 정답: C. dd 다른 옵션에 대한 설명: A. "df" 명령은 디스크 사용량을 표시하는 명령입니다. B. "cp" 명령은 파일과 디렉토리를 복사하는 데 사용됩니다. D. "ln" 명령은 링크(하드 링크 또는 심볼릭 링크)를 생성하는 데 사용됩니다.

Alyssa wants to use her Android phone to store and manage cryptographic certificates. What type of solution could she choose to do this using secure hardware? A. SEAndroid B. A microSD HSM C. A wireless TPM D. MDM

B. A hardware security module (HSM) in a microSD from factors allows a mobile device like and Android phone to securely store and manage certificates. Alyssa will also need an application to access and use the HSM, but she will have a complete, portable, and secure solution for her PKI needs. SEAndroid allows mandatory access control to be enforced on an Android device. TPMs are connected to systems and are often integrated into the motherboard or added as plug-in module, not a wireless component. MDM is not a secure hardware solution, but it is a software solution for managing mobile devices. A microSD HSM은 안전한 하드웨어 모듈(HSM)을 포함한 마이크로 SD 카드로서, 안전한 저장 및 관리를 위해 암호화 키 및 인증서를 안전하게 보관할 수 있게 해줍니다. 이것은 안드로이드 기기에서 보안 인증서 및 키 관리를 향상시키는 데 사용될 수 있습니다. 다른 옵션들: A. SEAndroid: SEAndroid은 안드로이드 운영 체제의 보안을 강화하는 데 사용되는 보안 확장입니다. 그러나 인증서 및 키 관리를 위한 특별한 하드웨어 모듈은 아닙니다. C. A wireless TPM (Trusted Platform Module): TPM은 보안 및 암호화 키를 저장하고 관리하는 데 사용되는 하드웨어 보안 모듈입니다. 무선 TPM은 휴대성 및 연결성을 제공하지만, 일반적으로 microSD HSM보다는 복잡한 설정이 필요할 수 있습니다. D. MDM (Mobile Device Management): MDM은 모바일 디바이스 관리를 위한 소프트웨어 및 서비스를 제공하는 플랫폼입니다. MDM은 디바이스의 설정 및 보안을 관리하지만, 직접 인증서 및 키를 저장하거나 관리하지는 않습니다.

Madhuri is designing a load-balancing configuration for her company and wants to keep a single node from being overloaded. What type of design will meet this need? A. A daisy chain B. Active/active C. Duck-duck-goose D. Active/passive

B. Active/Active designs spread traffic among active nodes, helping to ensure that a single node will not be overwhelmed. Active/passive designs are useful for disaster recovery and business continuity, but they do not directly address heavy load on a single node. There are many load-balancing schemes, but daisy chains and duck, duck, goose are not among them.

Ken is conducting threat research on Transport Layer Security (TLS) and would like to consult the authoritative reference for the protocol's technical specification. What resource would best meet his needs? A. Academic journal B. Internet RFCs C. Subject matter experts D. Textbooks

B. All of these resources might contain information about the technical details of TLS. But, Internet Request for Comments (RFCs) documents are the definitive technical standards for Internet protocols. Consulting the RFCs would be Ken's best option. 전송 계층 보안(TLS) 및 다른 네트워크 프로토콜의 기술 명세는 주로 RFC(Request for Comments) 문서에 포함되어 있습니다. RFC는 네트워크 프로토콜 및 기술에 대한 공식적인 기술 스펙을 제공하는 권위 있는 문서입니다. 따라서 Ken이 TLS의 기술 명세를 찾고 있다면, Internet RFCs를 참고하는 것이 가장 적합한 선택입니다.

Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information? A. Port Scanning B. Footprinting C. Vulnerability Scanning d. Packet Capture

B. All of these techniques might provide Grace with information about the operating system running on a device. However, footprinting is a technique specifically designed to elicit this information - Packet Capture: is a networking practice involving the interception of data packets traveling over a network 풋프린팅은 펜트레이션 테스트의 정찰(Reconnaissance) 단계 중 하나로, 시스템 및 네트워크 정보를 수집하고 목표 시스템에 대한 정보를 확보하는 프로세스를 나타냅니다. 이 프로세스를 통해 그레이스는 대상 시스템의 운영 체제 버전 및 다른 관련 정보를 수집할 수 있습니다.

Which of the following measures is not commonly used to assess threat intelligence? A. Timeliness B. Detail C. Accuracy D. Relevance

B. Although higher levels of detail can be useful, they are not a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information. 설명: 위협 인텔리전스 평가에서 시간성(Timeliness), 정확성(Accuracy), 그리고 관련성(Relevance)은 매우 일반적으로 고려되는 중요한 요소입니다. 이러한 요소는 정보가 얼마나 신속하게 제공되는지, 얼마나 정확한지 및 조직에게 어떤 가치가 있는지를 결정하는 데 중요합니다. 그러나 "세부사항(Detail)"은 위협 인텔리전스의 질을 평가하는 데 흔히 사용되지 않습니다. 세부사항은 정보의 깊이나 상세한 내용을 나타내는 것이며, 일부 상황에서는 세부사항이 중요할 수 있지만, 다른 경우에는 요약된 정보만 필요할 수 있습니다

Michelle wants to prevent unauthorized applications from being installed on a system. What type of tool can she use to allow only permitted applications to be installed? A. A hardening application B. An allow list application C. A deny list application D. A HIPS

B. An allow list application will allow only specific permitted programs to be installed on a system. Deny list applications will prevent specified applications from being installed. Hardening applications are not a specific category of tool, although hardening scripts are in use, and a HIPS is a host intrusion prevention system. Michelle은 "허용 목록 (allow list)" 애플리케이션을 사용하여 허용된 애플리케이션만 설치할 수 있도록 시스템을 구성할 수 있습니다. 이러한 애플리케이션은 특정 애플리케이션을 명시적으로 허용하고 다른 애플리케이션을 차단하는 데 사용됩니다. A hardening application: "Hardening"은 시스템의 보안을 강화하기 위한 조치를 나타내며, 허용 또는 거부하는 애플리케이션을 관리하기보다는 시스템의 보안 설정을 강화하는 데 사용됩니다. C. A deny list application: "Deny list" 애플리케이션은 특정 애플리케이션을 차단하는 데 사용됩니다. 하지만 Michelle이 "허용된 애플리케이션만 설치"하도록 제어하려는 경우 "허용 목록 (allow list)"이 더 적합합니다. D. A HIPS (Host-based Intrusion Prevention System): HIPS는 시스템 내에서 이상한 활동을 감지하고 차단하기 위한 시스템 보안 도구이며, 애플리케이션 설치를 관리하기 위한 명시적인 메커니즘은 아닙니다.

Tonya discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation? A. NDA B. AUP C. Data ownership D. Data classification

B. An organization's Acceptable Use Policy (AUP) should contain information on what constitutes allowable and unallowable use of company resources. This policy should contain information to help guide Tonya's next step.

What element of the SCAP framework can be used to consistently describe vulnerabilities? A. CPE B. CVE C. CVSS D. CCE

B. Common Vulnerabilities and Exposure (CVE) provides a standard nomenclature for describing security-related software flaws. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. The Common Vulnerability Scoring system (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws. SCAP (Security Content Automation Protocol) 프레임워크에서 취약점을 일관되게 설명하는 데 사용되는 요소는 무엇인가요? B. CVE (Common Vulnerabilities and Exposures) 설명: CVE (Common Vulnerabilities and Exposures)는 SCAP 프레임워크에서 취약점을 식별하고 기술하는 데 사용되는 표준 식별자입니다. CVE는 취약점에 고유한 번호를 할당하여 취약점을 식별하고 추적할 수 있게 합니다. 이것은 다양한 보안 도구 및 시스템 간에 취약점 정보를 공유하고 효율적으로 관리하기 위한 중요한 구성 요소입니다.

Which one of the following is NOT an advantage of database normalization? A. Preventing data inconsistencies B. Preventing injection attacks C. Reducing the need for database restructuring D. Making the database schema more informative

B. Database normalization has 4 benefits. Normalized designs (1) prevent data inconsistencies, (2) prevent update anomalies, (3) reduce the need for restructuring existing databases, (4) make the database schema more informative. They do not prevent web application attacks, such as SQL injection. 데이터베이스 정규화의 주요 이점은 데이터 일관성을 유지하고 데이터 중복을 방지하여 데이터베이스를 효율적으로 관리하는 데 도움을 줍니다. 그러나 데이터베이스 정규화는 주로 데이터 구조와 일반적인 데이터베이스 설계에 관련되어 있습니다. 인젝션 공격 방지는 보안 측면에서 중요한 이점이지만, 데이터베이스 정규화의 주요 목표는 데이터 관리와 구조화에 관한 것입니다. 데이터베이스 정규화는 데이터 구조를 최적화하여 쿼리 성능을 향상시키고 데이터 일관성을 유지하는 데 중점을 둡니다. 인젝션 공격 방지는 데이터베이스 보안을 강화하는 다른 보안 메커니즘과 관련이 있습니다.

Tim is working on a change to a web application used by this organization to fix a known bug. What environment should he be working in? A. Test B. Development C. Staging D. Production

B. Developers working on active changes to code should always work in the development environment. The test environment is where the software or systems can be tested without impacting the production environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production. 버그를 수정하거나 새로운 기능을 개발하는 경우에는 주로 "Development" (개발) 환경에서 작업해야 합니다. 개발 환경은 실제 운영 환경이나 사용자에게 노출되지 않는 환경으로, 코드 변경 사항을 테스트하고 디버그할 수 있는 공간입니다. 변경 사항이 안정화되고 버그가 수정되면 테스트, 스테이징 또는 프로덕션 환경으로 배포됩니다.

Florian wants to ensure that systems on a protected network cannot be attacked via the organization's network. What design technique should he use to ensure this? A. A hot aisle B. An air gap C. A Cold aisle D. Protected cable distribution

B. Florian can use an air gapped network. An air gapped network or system is one without a connection to other systems or networks, requiring data and files to be manually copied to it. Hot and cold aisles are used in datacenters as part of airflow and thermal regulation, and protected cable distribution is used to ensure that cables cannot be accessed or tapped without network administrators or security professionals being aware. 에어 갭은 두 시스템 간의 물리적인 분리를 나타내는 용어로, 네트워크와 보호된 시스템 사이에 네트워크 연결이 없음을 의미합니다. 이것은 완전한 네트워크 격리를 제공하며, 보호된 시스템이 외부 네트워크에서 직접 액세스되지 않도록 보장합니다. A. A hot aisle (핫 아일)은 데이터 센터 냉각을 위한 용어로, 네트워크 보안과는 관련이 없습니다. C. A Cold aisle (콜드 아일)은 데이터 센터 냉각을 위한 용어로, 네트워크 보안과는 관련이 없습니다. D. Protected cable distribution (보호된 케이블 분배)은 케이블 및 케이블 경로의 보안을 강화하기 위한 방법으로, 네트워크 분리와 관련이 있을 수 있지만, 에어 갭만큼 강력한 격리를 제공하지는 않습니다.

Gurvinder wants to select a mobile device deployment method that provides employees with devices that they can use as though they're personally owned to maximize flexibility and ease of use. Which deployment model should he select? A. CYOD B. COPE C. BYOD D. MOTD

B. Gurvinder's requirements fit the COPE (Corporate-owned, personally enabled) mobile device deployment model. Choose your own device (CYOD) allows users to choose a device but then centrally manages it. BYOD allows users to use their own device.

Ian has been receiving hundreds of false positive alerts from his SIEM every night when scheduled jobs run across his datacenter. What should he adjust on his SIEM to reduce the false positive rate? A. Trend analysis B. Sensitivity C. Correlation rules D. Dashboard configuration

B. Ian's first step should be changing the sensitivity for his alerts. Adjusting the alerts to ignore safe or expected events can help reduce false positives. Correlation rules may then need to be adjusted if they are matching unrelated items. Dashboards are used to visualize data, not for alerting, and trend analysis is used to feed dashboards and reports.

Tracy is concerned about attacks against the machine learning algorithm that her organization is using to assess their network. What step should she take to ensure that her baseline data is not tainted? A. She should scan all systems on the network for vulnerabilities and remediate them before using the algorithm. B. She should run the ML algorithm on the network only if she believes it is secure. C. She should disable outbound and inbound network access so that only normal internal traffic is validated. D. She should disable all firewall rules so that all potential traffic can be validated.

B. If Tracy is worried about baselining her network and having tainted data, she needs to ensure that no malicious activity is occurring when she runs the baseline data capture. That way, the machine learning algorithm will only be working with normal traffic patterns and behaviors and can then detect and alert on things that are abnormal. ML 알고리즘을 사용하여 네트워크를 평가할 때, 먼저 네트워크의 보안을 확보하고 안전한 상태로 유지해야 합니다. 베이스라인 데이터의 무결성을 보호하기 위해 먼저 네트워크 보안을 강화하고 공격에 대비해야 합니다. 다른 선택지인 "She should scan all systems on the network for vulnerabilities and remediate them before using the algorithm" (알고리즘을 사용하기 전에 네트워크의 모든 시스템을 취약점 검사하고 해결해야 합니다)은 중요한 조치일 수 있지만, 베이스라인 데이터의 무결성을 보호하는 목적은 아닙니다. "She should disable outbound and inbound network access so that only normal internal traffic is validated" (외부 및 내부 네트워크 액세스를 비활성화하여 정상적인 내부 트래픽만 유효화해야 합니다) 및 "She should disable all firewall rules so that all potential traffic can be validated" (모든 방화벽 규칙을 비활성화하여 모든 잠재적인 트래픽을 유효화해야 합니다)은 보안에 심각한 위험을 초래할 수 있으므로 권장되지 않습니다.

Referring to the scenario in question before, if Acme Widgets switched to an asymmetric encryption algorithm, how many keys would be required to add the 11th employee? A. 1 B. 2 C. 10 D. 11

B. In an asymmetric encryption algorithm, each employee needs only two keys: a public key and a private key. Adding a new user to the system requires the addition of these two keys for that user, regardless of how many other users exist.

Laura wants to deploy a WPA2 secured wireless for her small business, but she doesn't have a RADIUS server set up. If she wants her Wi-Fi to be encrypted, what is her best option for wireless authentication? A. EAP B. PSK C. EAP-TLS D. Open Wi-Fi with a captive portal

B. In small business and home environments, prehared keys (PSKs) allow encryption without enterprise authentication and a RADIUM server. Both EAP and EAP-TLS are used in enterprise authentication environments, and open Wi-Fi doesn't use encryption. Laura가 RADIUS 서버를 설정하지 않고 WPA2로 보호된 무선 네트워크를 배포하려는 경우, 가장 쉬운 옵션은 PSK(Pre-Shared Key)를 사용하는 것입니다. PSK는 사전에 공유된 암호 키를 사용하여 사용자 및 장치를 인증하는 방법으로, 간단한 설정으로 무선 네트워크를 안전하게 보호할 수 있습니다. 이 경우 네트워크에 액세스하려는 모든 사용자와 장치에게 동일한 사전 공유된 키를 제공하면 됩니다. 다른 옵션들: A. EAP (Extensible Authentication Protocol)는 엔터프라이즈 환경에서 사용되는 강력한 인증 방법 중 하나이지만, RADIUS 서버 설정이 필요하며 더 복잡합니다. C. EAP-TLS (EAP with Transport Layer Security)는 강력한 인증 및 암호화를 제공하는 보안 프로토콜이지만, RADIUS 서버 및 디지털 인증서 관리가 필요합니다. D. Open Wi-Fi with a captive portal은 오픈 무선 네트워크를 제공하고 사용자가 인터넷 액세스를 위해 로그인 또는 인증해야 하는 방법입니다. 하지만 보안에 취약하며, 비즈니스 환경에서는 권장되지 않을 수 있습니다.

Which one of the following tools is most likely to detect an XSS vulnerability? A. Static application test B. Web application vulnerability scanner C. Intrusion detection D. Threat hunting

B. Intrusion detection systems do not detect vulnerabilities; they detect attacks. The remaining three tools could all possibly discover a cross-site scripting (XSS) vulnerability, but a web application vulnerability scanner is the most likely to detect it because it is specifically designed to test web application. - Static application test: Static testing analyzes code without executing it for the application - XSS is a vulnerability for web application. XSS (Cross-Site Scripting) 취약점은 주로 웹 애플리케이션에서 발생하는 보안 취약점 중 하나입니다. 이러한 취약점을 감지하고 식별하기 위해서는 웹 애플리케이션 취약점 스캐너와 같은 전문 도구나 서비스를 사용하는 것이 가장 효과적입니다. 웹 애플리케이션 취약점 스캐너는 웹 애플리케이션의 입력 포인트를 검사하고 XSS와 같은 취약점을 식별하기 위해 자동으로 테스트를 수행합니다.

Joanna recovers a password file with passwords stored as MD5 hashes. What tool can she use to crack the passwords? A. MD5sum B. John the Ripper C. GPG D. Netcat

B. Joanna needs to use a password cracking tool. Although John the ripper is a useful password cracking tool, an even faster technique for most passwords with a known hashing scheme would be to use a rainbow table-based cracker like OphCrack to look up the hashes using a precomputed databse of likely passwords. MD5sum is a tool for creating MD5 hashes, not for cracking passwords, GPG is an encryption tool, and netcat is a great network tool with may uses, but password cracking is not one of them. John the Ripper는 해시된 비밀번호를 크랙하는 데 사용되는 유명한 패스워드 크래킹 도구 중 하나입니다. 이 도구는 다양한 해시 알고리즘과 해시 형식을 지원하며, 비밀번호 딕셔너리와 다양한 크랙킹 기술을 사용하여 해시된 비밀번호를 추측하고 복원하는 데 사용됩니다. 다른 선택지인 "MD5sum"은 MD5 해시를 생성하는 도구입니다. "GPG"는 GNU Privacy Guard의 약어로, 암호화 및 전자 서명을 위한 도구입니다. "Netcat"은 네트워크 통신을 위한 유틸리티입니다. 이들은 비밀번호 크랙에 직접적으로 사용되지 않습니다.

Which of the following is the least volatile according to the forensic order of volatility? A. The system's routing table B. Logs C. Temp files D. CPU registers

B. Logs, along with any file that is stored on disk without the intention of being frequently overwritten, are the last volatile item listed. In order from most volatile to least from the answers here: CPU registers, the system's routing table, temp files, and logs.

Wayne is concerned that an on-path attack has been used against computers he is responsible for. What artifact is he most likely to find associated with this attack? A. A compromised router B. A browser plug-in C. A compromised server D. A modified hosts file

B. Man-in-the-browser attacks take advantage of malicious browser plug-ins or proxies to modify traffic at the browser level. They do not involve compromised routers or servers, and a modified hosts file is more likely to be involved in a man-in-the-middle attack.

Olivia wants to install a host-based security package that can detect attacks against the system coming from the network, but she does not want to take the risk of blocking the attacks since she fears that she might inadvertently block legitimate traffic. What type of tool could she install that will meet this requirement? A. A host firewall B. A host intrusion detection system C. A host intrusion prevention system D. A data loss prevention tool

B. Olivia should install a host-based intrusion detection system. An IDS can detect and report on potential attacks but does not have the ability to stop them. A host-based IPS can be configured to report only on attacks, but it does have the built-in ability to be set up to block them. Firewalls can block known ports, protocols, or applications, but they do not detect attacks - although advanced modern firewalls blur the line between firewalls and other defensive tools. Finally, a data loss prevention tool focuses on preventing data exposures, not on stopping network attacks. 호스트 침입 탐지 시스템 (HIDS)은 시스템에서의 네트워크로부터의 공격을 감지하는 도구로, 공격을 감지할 뿐 아니라 정당한 트래픽을 차단하지 않습니다. 이는 Olivia가 시스템의 보안을 강화하면서 정당한 트래픽에 대한 위험을 줄일 수 있도록 도와줍니다. 다른 보기들에 대한 설명은 다음과 같습니다: A. 호스트 방화벽: 공격을 감지하지만 정당한 트래픽을 차단하는 역할을 합니다. C. 호스트 침입 방지 시스템 (HIPS): 공격을 감지하고 차단할 수 있지만, Olivia의 요구 사항을 충족시키지 못합니다. D. 데이터 유실 방지 도구: 데이터 유실 방지에 초점을 맞추며, 공격 탐지에는 특별히 효과적이지 않습니다.

Alaina discovers that someone has set up a website that looks exactly like her organization's banking website. Which of the following terms best describes this sort of attack? A. Phishing B. Pharming C. Typosquatting D. Tailgating

B. Pharming best fits this description. Pharming attacks use web pages that are designed to look like a legitimate site but that attempt to capture information like credentials. Typosquatting relies on slightly incorrect hostnames or URLs, and nothing like that is mentioned in the question. Tailgating is an in-person attack, and phishing is typically done via email or other means to request information, not by setting up a site like this, although some phishing attacks may direct to a pharming website. Pharming은 공격자가 피해자를 조작하여 특정 웹사이트로 리디렉션하는 공격 유형 중 하나입니다. 공격자는 DNS 포이즈닝과 같은 기술을 사용하여 특정 도메인 이름을 다른 IP 주소로 변조하거나, 피해자를 악성 웹사이트로 리디렉션합니다. 이 공격을 통해 공격자는 사용자의 개인 정보를 획득하거나 피해자를 다른 악의적인 목적지로 유도할 수 있습니다.

Michelle enables the Windows 10 picture password feature to control logins for her laptop. Which type of attribute will it provide? A. Somewhere you are B. Something you can do C. Something you exhibit D. Someone you know

B. Picture password asks users to click on specific, self-defined parts of a picture. This means that clicking on those points ins something you can do. Somewhere you are involves a location, something you exhibit is typical of personality traits, and someone you know would involve a third party, which can be useful for verification when someone cannot otherwise prove their identity.

Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious? A. Run a decompiler against it to allow him to read the code. B. Open the file using a text editor to review the code. C. Test the code using an antivirus tool. D. Submit the Python code to a malware testing website.

B. Python is an interpreted rather than a compiled language, so Ben does not need to use a decompiler. Instead, his best bet is to open the file and review the code to see what it does. Since it was written by an employee, it is unlikely that it will match an existing known malicious package, which means antivirus and antimalware tools and sites will be useless. 악성 코드인지 여부를 결정하려면 코드를 분석하고 검토해야 합니다. Python 코드는 일반적으로 텍스트 파일로 저장되므로 텍스트 편집기를 사용하여 코드 내용을 확인할 수 있습니다. 코드의 특이한 또는 의심스러운 부분을 식별하거나, 알려진 악성 패턴을 찾는 것이 중요합니다. 코드를 직접 검토하면 코드의 동작과 의도를 더 잘 이해할 수 있습니다.

Chris wants to run a RAID that is a mirror of two disks. What RAID level does he need to implement? A. 0 B. 1 C. 2 D. 5

B. RAID 1 is a mirror of two disks, with each disk a complete copy of the other disk. RAID 0 is a stripe of two disks and does not help with redundancy, instead focusing on performance. RAID 2 is rarely used, and stripes data and uses error correction RAID 5 stripes by blocks of data and distributes parity information among drives.

What type of malware is frequently called stalkerware because of its use by those in initimate relationship to spy on their partners? A. Worms B. RATs C. Crypto malware D. PUPs

B. RATs, or remote access Trojans, are sometimes called stalkerware because they are often utilized by those in intimate relationships to spy on their partners. They provide remote access and other capabilities to computers and mobile devices. 스토커웨어는 종종 악성 원격 액세스 트로이 목마(RATs)의 일종으로 사용됩니다. 이러한 악성 소프트웨어는 공격자가 타겟의 컴퓨터 또는 기기에 원격으로 액세스하여 침입 대상의 활동을 모니터링하거나 기록할 수 있는 기능을 제공합니다. 이것은 부정적인 목적으로 사용될 수 있는 매우 개인적인 침입 형태로, 스토커웨어라고도 불리며 합법적인 목적으로 사용되어서는 안됩니다.

Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information? A. Vulnerability feed B. IoC C. TTP D. RFC

B. Specific details of attacks that may be used to identify compromises are known as indicators of compromises (IoCs). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC. Vulnerability feed is insights into the types of exploits being discovered by researchers. IoC는 침해 사건을 탐지하거나 조사하기 위해 사용되는 특정한 조직의 정보 또는 활동의 흔적 또는 지표를 나타냅니다. 해시 값은 파일 또는 데이터의 정확한 내용을 나타내는 것이 아니지만, 파일 또는 데이터가 변조되었거나 악성 소프트웨어와 연관될 수 있는 특정 지표로 사용될 수 있습니다. 따라서 빈스가 받은 해시 값은 IoC로 분류됩니다.

Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing? A. Policy B. Standard C. Guideline D. Procedure

B. Standard describe specific security controls that must be in place for an organization. Allan would not include acceptable mechanisms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.

Susan wants to ensure that the threat of a lost phone creating a data breach is minimized. What two technologies should she implement to do this? A. Wi-Fi and NFC B. Remote wipe and FDE C. Containerization and NFC D. Geofencing and remote wipe

B. Susan's best options are to use a combination of full-device encryption (FDE) and remote wipe. If a device is stolen and continues to be connected to the cellular network, or reconnects at any point, the remote wipe will occur. If it does not, or if attackers attempt to get data from the device and it is locked, the encryption will significantly decrease the likelihood of the data being accessed. Of course, cracking a passcode, PIN, or password remains a potential threat. NFC and Wi-Fi are wireless connection methods and have no influence on data breaches due to loss of a device. Geofencing may be useful for some specific organizations that want to take action if devices leave designated areas, but it is not a general solution. Containerization may shield data, but use of containers does not immediately imply encryption or other protection of the data, simply that the environments are separated. 데이터 무결성과 보안을 유지하기 위해 분실된 핸드폰의 데이터 노출을 최소화하기 위한 가장 일반적인 방법은 다음과 같습니다: Remote wipe: 원격 삭제 기능을 통해 분실된 핸드폰의 데이터를 원격에서 지울 수 있습니다. 이렇게 하면 데이터 유출 위험이 감소하고, 민감한 정보를 보호할 수 있습니다. FDE (Full Disk Encryption): 디스크의 모든 데이터를 암호화하여 데이터 유출을 방지합니다. 분실된 핸드폰을 사용하려는 불법적인 시도에서 데이터를 안전하게 보호합니다. 다른 옵션들: A. Wi-Fi와 NFC는 무선 통신 기술이며, 분실된 핸드폰의 데이터 보호와 직접 관련이 없습니다. C. Containerization은 애플리케이션과 데이터를 격리된 환경에 보관하는 기술로, 보안에 도움이 될 수 있지만 분실된 핸드폰의 데이터 보호만을 위한 것은 아닙니다. D. Geofencing은 특정 지리적 위치에서 핸드폰의 동작을 제어하는 기술로, 데이터 보호와 직접적인 연관이 없습니다.

Valerie wants to replace the telnet access that she found still in use in her organization. Which protocol should she use to replace it, and what port will it run on? A. SFTP, port 21 B. SSH, port 22 C. HTTPS, port 443 D. RDP, port 3389

B. Telnet provides remote command-line access but is not secure. SSH is the most common alternative to telnet, and it operates on port 22. 텔넷은 비밀번호와 데이터를 암호화하지 않고 전송하기 때문에 보안 문제가 있습니다. 대신 SSH(Secure Shell) 프로토콜을 사용하여 텔넷을 안전하게 대체할 수 있습니다. SSH는 포트 22에서 실행됩니다. 이것은 보안된 원격 접속 및 데이터 전송을 지원하는 안전한 프로토콜입니다.

Charles wants to monitor changes to a log file via a command line in real time. Which of the following command-line Linux tools will let him see the last lines of a log file as they change? A. logger B. tail C. chmod D. head

B. The Linux "tail" command with the -f flag will follow a file as it changes, showing the last 10 lines by default. Charles can use this to monitor a log file as it changes. "logger" adds text to the syslog file, "chmod" changes permissions, and "head" shows the first 10 lines of a file, which will typically be the oldest entries in the log file on a Linux system. Charles는 로그 파일의 마지막 라인을 변경 사항이 발생할 때마다 볼 수 있도록 하려면 "tail" 명령어를 사용해야 합니다. "tail" 명령은 파일의 끝에서부터 출력을 보여주므로 실시간으로 로그 파일의 변경 사항을 모니터링하는 데 적합합니다.

Chris has turned on logon auditing for a Windows system. Which log will show them? A. The Windows Application log B. The Windows Security log C. The Windows System log D. All of the above

B. The Windows Security log records 'log on events' when logon auditing is enabled. The Application and System logs do not contain these events. 크리스가 Windows 시스템에서 로그온 감사를 활성화했다면, 주로 **Windows 보안 로그(Windows Security log)**에서 해당 이벤트를 확인할 수 있습니다. A. Windows 응용 프로그램 로그: 이 로그에는 주로 시스템에서 실행되는 응용 프로그램 및 서비스와 관련된 이벤트가 포함되며 로그온 이벤트와 관련된 정보를 기록하지 않습니다. C. Windows 시스템 로그: 이 로그에는 주로 시스템의 운영 상태 및 하드웨어 관련 이벤트가 포함되며 로그온 이벤트와 관련된 정보를 기록하지 않습니다. 따라서 올바른 답은 B. Windows Security 로그입니다. 이 로그는 주로 보안 관련 이벤트를 기록하며 로그온 및 인증 활동을 포함합니다.

Joe is authoring a document that explains to system administrators one way that they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing? A. Policy B. Guideline C. Procedure D. Standard

B. The key word in this scenario is 'one-way.' This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.

Isaac is performing a forensic analysis on two systems that were compromised in the same event in the same facility. As he performs his analysis, he notices that the event appears to have happened almost exactly one hour earlier on one system than the other. What is the most likely issue he has encountered? A. The attacker took an hour to get to the second system. B. One system is set to an incorrect time zone. C. The attacker changed the system clock to throw off forensic practitioners. D. The forensic tool is reading the timestamps incorrectly.

B. The most common cause of an hour of difference between two systems is an environment is an incorrectly set time zone. Isaac should check the time zone settings, and then correct his findings based on the time zones set on the systems if necessary. 하나의 시스템은 올바르지 않은 시간대로 설정되어 있습니다. 한 시스템이 올바르지 않은 시간대로 설정되어 있어서 이런 시간 차이가 발생한 것으로 보입니다. 시스템의 시간 설정을 확인하고 올바른 시간대로 수정해야 합니다. 다른 보기들에 대한 설명은 해당 상황과 무관한 것으로 보입니다.

If David wishes to digitally sign the message that he is sending Mike, what key would he use to create the digital signature? A. David's public key B. David's Private Key C. Mike's public key D. Mike's private key

B. The sender of a message may digitally sign the message by encrypting a message digest with the sender's own private key 전자 서명을 생성할 때 개인 키가 사용됩니다. David가 메시지를 서명하려면 자신의 개인 키를 사용하여 디지털 서명을 생성합니다. 이 디지털 서명은 David의 개인 키로 생성되었으므로 메시지의 무결성을 보호하고 송신자를 인증하는 데 사용됩니다. 디지털 서명을 확인하려면 David의 공개 키가 필요하며, Mike은 David의 공개 키를 사용하여 디지털 서명을 확인할 수 있습니다.

Kevin would like to ensure that his software runs on a platform that is able to expand and contract as needs change. which one of the following terms best describes his goal? A. Scalability B. Elasticity C. Cost effectiveness D. Agility

B. The situation described in the scenario, expanding capacity when demand spikes and then reducing that capacity when demand falls again, is the definition of elasticity. 케빈의 목표는 소프트웨어를 필요에 따라 자동으로 확장하거나 축소할 수 있는 능력을 갖춘 플랫폼을 사용하는 것입니다. 이러한 능력을 가진 플랫폼은 "Elasticity" 또는 "탄력성"을 갖추고 있다고 말합니다. 탄력성은 리소스를 동적으로 할당하고 해제하여 트래픽 또는 작업 부하의 변동에 대응하는 데 사용됩니다.

Which one of the following function calls is closely associated with Linux command injection attacks? A. sudo( ) B. system( ) C. mkdir( ) D. root( )

B. The system( ) function executes a command string against the operating system from within an application and may be used in command injection attacks. system() 함수는 명령을 실행하는 데 사용되며, 사용자 입력을 받아들일 수 있기 때문에 명령 인젝션 공격에 취약할 수 있습니다. 이를 통해 공격자는 악의적인 명령을 시스템에 실행시키려고 시도할 수 있습니다. 따라서 시스템 보안을 위해 이 함수를 안전하게 사용해야 합니다.

Elenora runs the following command on a Linux system: "cat example.txt example2.txt" What will result? A. The contents of 'exmaple.txt' will be appended to 'example2.txt' B. The contents of both 'example.txt' and 'example2.txt' will be displayed on the terminal C. The contents of 'exmaple2/txt' will be appended to 'example.txt' D. The contents of 'example.txt.' will be merged on alternating lines with the contents of 'example2.txt'.

B. Using the 'cat' command with two filenames will simply display both files to the terminal. Appending a file to another file requires directing output to that file, such as 'cat example.txt >> exmaple2.txt.

What major difference is likely to exist between on-premises identity services and those used in a cloud-hosted environment? A. Account policy control will be set to the cloud provider's standards B. The cloud service will provide account and identity management services. C. Multifactor authentication will not be supported by the cloud vendor. D. None of the above

B. most cloud services provide identity and authorization tools for their services. Most, although not all, allow customers to set some of even many of the account policies they will use, and most major vendors support some form of multifactor capability. 온프레미스 식별 서비스는 조직의 내부 인프라에서 운영되며, 조직이 직접 계정 및 식별 관리 서비스를 설정하고 관리합니다. 반면 클라우드 호스팅 환경에서는 클라우드 공급자가 계정 및 식별 관리 서비스를 제공하므로 조직은 해당 서비스를 구매하고 사용합니다. 따라서 클라우드 호스팅 환경에서는 온프레미스와 비교해 계정 및 식별 관리 서비스의 구현과 관리 방법이 다를 수 있습니다.

Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs a virus scan, the system doesn't show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system? A. Return the antimalware scan B. Mount the drive on another system and scan it that way C. Disable the systems antivirus because it may be causing a false negative D. The system is not infected and he should move on.

B. rootkits are designed to hide from antimalware scanners and can often defeat locally run scans. Mounting the drive in another system in read-only mode, or booting from a USB drive and scanning using a trusted, known good operating system, can be an effective way to determine what malware is on a potentially infected system. 루트킷과 같은 고급 악성 소프트웨어는 시스템에서 감지하기 어렵고 숨겨진 상태에서 작동할 수 있습니다. 때때로 바이러스 스캔 도구로는 검출되지 않을 수 있습니다. 따라서 시스템이 감염되었을 가능성이 있으면 시스템 디스크를 다른 시스템에 마운트하고, 오프라인에서 스캔 및 분석을 수행하여 루트킷과 같은 악성 소프트웨어를 탐지하고 제거하는 것이 좋습니다.

Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into? A. Low B. Medium C. High D. Critical

B. vulnerabilities with CVSS base cores between 4.0~6.9 fit into the medium risk category - None: 0.0 - Low: 0.1~3.9 - Medium: 4.0~6.9 - High: 7.0~8.9 - Critical: 9.0~10.0

Bart needs to assess whether a three-way TCP handshake is occurring between a Linux server and a Windows workstation. He believes that the workstation is sending a SYN but is not sure what is occurring next. If he wants to monitor the traffic, and he knows that the Linux system does not provide a GUI, what tool should he use to view that traffic? A. dd B. tcpreplay C. tcpdump D. Wireshark

C. 'tcpdump' is a command-line tool that will allow Bart to capture and analyze the traffic coming from the Windows workstation. If he does not see a three-way handshake, he will need to determine what is occurring with the traffic. Wireshark is a GUI (graphical) program, 'tcpreplay' is used to replay traffic, and 'dd' is used to clone drives. Linux 시스템에서 네트워크 트래픽을 캡처하고 분석하는 데 주로 사용되는 명령줄 도구 중 하나인 "tcpdump"를 사용할 수 있습니다. 이 도구를 사용하면 네트워크 패킷을 실시간으로 캡처하고 트래픽을 분석할 수 있습니다. Bart는 Linux 서버에서 "tcpdump"를 사용하여 네트워크 트래픽을 감시하고 3-way TCP 핸드셰이크의 진행 여부를 확인할 수 있습니다. A. "dd"는 데이터를 복사하거나 변환하는 데 사용되며, 네트워크 트래픽 모니터링에는 적합하지 않습니다. B. "tcpreplay"는 저장된 패킷 캡처 파일을 다시 전송하는 데 사용되며, 트래픽 모니터링에 적합하지 않습니다. D. "Wireshark"는 GUI 기반의 네트워크 패킷 분석 도구이며, Linux 시스템에서 GUI가 없을 경우 사용이 어려울 수 있습니다.

Lucca is prototyping an embedded system and wants to use a device that can run a full Linux operating system so that he can install and use a firewall and other security software to protect a web service he will run on it. Which of the following solutions should he use? A. An Arduino B. An FPGA C. A Raspberry Pi D. None of the above

C. A Raspberry Pi supports Linux natively and has the resources and hardware to run the operating system and services described. An Arduino is a microcontroller and is better suited to handling a limited set of sensors, actuators, or similar hardware. Am FPGA is a specific type of integrated chip that can be programmed to handle specific tasks, but it is not a full computer. 라즈베리 파이 (Raspberry Pi)는 작고 저렴한 컴퓨터로, 전체 Linux 운영 체제를 실행할 수 있으므로 Lucca가 보안 소프트웨어 및 방화벽을 설치하고 웹 서비스를 보호하는 데 사용하기에 적합합니다. 다른 보기들에 대한 설명은 다음과 같습니다: A. 아두이노 (Arduino): 아두이노는 마이크로 컨트롤러 기반으로 작은 임베디드 시스템용이며, 전체 Linux 운영 체제를 실행하기에는 제한적입니다. B. FPGA: FPGA (Field-Programmable Gate Array)는 하드웨어를 프로그래밍할 수 있는 장치로, 전체 Linux 운영 체제를 실행하는 데는 적합하지 않습니다. D. 위의 어떤 것도 해당하지 않음: 라즈베리 파이가 Lucca의 요구 사항을 충족시키는 최적의 선택입니다.

Amanda is assessing a vehicle's internal network. What type of bus is the most likely to discover connecting its internal sensors and controllers? A. Narrowband bus B. A Zigbee bus C. A CAN bus CD. An SoC bus

C. A controller area network (CAN) is a vehicle-specific standard designed to allow microcontrollers, sensors, and other components of the vehicle to communicate. Zigbee, a wireless protocol used for home automation and similar short-ranged purposes, would be poorly suited to use in vehicles. Narrowband describes a channel, not a bus type, and an SoC bus was made up for this question.

What type of cryptographic attack attempts to force a user to reduce the level of encryption that they use to communicate with a remote server? A. Birthday B. Frequency C. Downgrade D. Rainbow table

C. A downgrade attack is sometimes used against secure communications such as TLS in an attempt to get the user or system to inadvertently shift to less secure cryptographic modes. The idea is to trick the user into shifting to a less secure version of the protocol, one that might be easier to break.

Melissa is planning on implementing biometric authentication on her network. Which of the following should be a goal for any biometric solution she selects?? a. high FRR, low FAR b. High FAR, low FRR c. Low CER d. High CER

C. A low crossover error rate will ensure that there's a low false rejection rate and a low false acceptance rate. The other options each have a high element, which is not desirable.

A person's name, age, location, or job title are all examples of what? A. Biometric factors B. Identity factors C. Attributes D. Account permissions

C. A person's name, age, location, job title, and even things like their height or hair color are all attributes that may be associated with a person's identity. None of these describe biometric factors used for authentication, and identity factors are something you know, something you are, or something you have. Account permissions determine what you can do, not attributes like these.

Which of the following is not typically part of SoC? A. A CPU B. A display C. Memory D. I/O

C. A system on a chip (SoC) is a chip that has most of the functions of a complete computer built into it. In fact, most SoCs have a CPU, memory, input/output, and storage as part of the chip. Adding a display to the chip is unlikely, but adding a display that the SoC can access and display to is very common in things like smartphones, smart watches, and other devices. A. CPU (Central Processing Unit): SoC에는 CPU가 포함되어 있습니다. CPU는 컴퓨터에서 중앙 처리 장치로 작동하며 명령을 실행하고 데이터를 처리합니다. B. Display: SoC에는 디스플레이 드라이버나 GPU (Graphics Processing Unit)와 같은 그래픽 관련 구성 요소가 포함될 수 있지만, 직접적으로 디스플레이 패널 자체는 SoC의 일반적인 구성 요소가 아닙니다. C. Memory: SoC는 시스템 메모리, 캐시 메모리 및 다양한 종류의 메모리 컨트롤러를 포함할 수 있습니다. 메모리는 SoC의 중요한 구성 요소 중 하나입니다. D. I/O (Input/Output): SoC는 다양한 입출력 인터페이스와 포트를 포함합니다. 이러한 I/O 구성 요소는 주변 장치와의 통신 및 데이터 전송에 사용됩니다. 따라서 일반적으로 SoC에는 A, C, D와 관련된 구성 요소가 포함됩니다. 하지만 B인 디스플레이 패널은 SoC의 일반적인 구성 요소로 간주되지 않습니다. 따라서 답은 "B. A display"입니다.

Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository? A. Product manuals B. Source code C. API Keys D. Open source data

C. All of these items could be concerning, depending on the circumstances. However, API keys should never be found in public repositories because they may grant unauthorized individual access to information and resources. - API Key: is a unique identifier used to authenticate and authorize a user, developer, or calling program to an API API 키(API Keys)는 클라우드 서비스 또는 웹 애플리케이션과의 통신을 위한 인증 정보입니다. 만약 API 키가 공개 저장소에서 노출된다면 악용자가 해당 서비스 또는 애플리케이션에 대한 접근 권한을 얻을 수 있으며, 이로 인해 중요한 데이터 유출이 발생할 수 있습니다. 따라서 API 키의 유출은 보안 위협으로 간주되며 가장 큰 우려사항 중 하나입니다.

Danielle wants to capture traffic from a network so that she can analyze a VoIP conversation. Which of the following tools will allow her to review the conversation most effectively? A. A network SIPper B. tcpdump C. Wireshark D. netcat

C. Although 'tcpdump' can be used to view packets sent as part of a VoIP connection, Wireshark has built-in VoIP analysis and protocol-specific tools. Danielle will have greater success using those built-in tools. A network SIPper is a made-up tool, and 'netcat' is not a packet sniffer. Danielle가 VoIP 대화를 분석하기 위해 네트워크에서 트래픽을 캡처하려면 가장 효과적인 도구 중 하나는 Wireshark입니다. Wireshark는 네트워크 패킷을 캡처하고 분석하는 강력한 패킷 분석 도구로, 다양한 프로토콜 및 응용 프로그램 트래픽을 분석할 수 있습니다. Wireshark를 사용하면 다음과 같은 작업을 수행할 수 있습니다: 네트워크 트래픽 캡처: 다양한 네트워크 인터페이스에서 패킷을 캡처할 수 있습니다. - VoIP 트래픽 분석: VoIP 프로토콜인 SIP (Session Initiation Protocol) 및 RTP (Real-time Transport Protocol) 트래픽을 분석하여 VoIP 대화를 재생하고 분석할 수 있습니다. - 패킷 필터링: 필요한 프로토콜 및 트래픽을 필터링하여 원하는 정보만 표시할 수 있습니다. - 패킷 디코딩: 다양한 프로토콜의 패킷을 해석하고 디코딩하여 이해하기 쉬운 형식으로 표시됩니다. 다른 옵션들: A. 네트워크 SIPper: "SIPper"라는 별도의 도구는 없으며, SIP 트래픽을 분석하려면 Wireshark와 같은 패킷 분석 도구를 사용해야 합니다. B. tcpdump: tcpdump는 패킷 캡처 도구로, Wireshark와 유사한 목적으로 사용될 수 있지만 Wireshark보다는 분석 및 시각화 기능이 제한적입니다. D. netcat: netcat은 네트워크 연결 및 데이터 전송을 위한 유틸리티로, 패킷 분석 및 VoIP 대화 분석과 관련된 작업에는 적합하지 않습니다.

Charles needs to know about actions an individual performed on a PC. What is the best starting point to help him identify those actions? A. Review the system log B. Review the event log C. Interview the individual Analyze the system's keystroke log.

C. Although it may be temping to use a technical answer, interviewing the individual involved is the best starting point when a person performed actions that need to be reviewed. Charles can interview the staff member, and then move on to technical means to validate their responses. system and event logs may have some clues to what occurred, but normal systems do not maintain a keystroke log. In fact, the closest normal element is the command log used by both Windows and Linux to allow command-line input to be recalled as needed.

Angela wants to limit the potential impact of malicious Bash scripts. Which of the following is the most effective technique she can use to do so without a significant usability impact for most users? A. Disable Bash. B. Switch to another shell. C. Use Bash's restricted mode. D. Prevent execution of Bash scripts.

C. Bash's restricted shell mode removes many of the features that can make Bash useful for malicious actors. Bash의 제한 모드(Restricted Mode)는 Bash 스크립트의 실행을 제한하고 보안을 강화하는 데 도움이 되는 방법 중 하나입니다. 제한 모드를 사용하면 특정 명령어나 기능을 사용하지 못하도록 제한할 수 있으므로 악성 스크립트가 시스템에 영향을 미치지 않도록 할 수 있습니다. 이것은 다른 사용자에게 중요한 영향을 미치지 않으면서 보안을 높이는 효과적인 방법 중 하나입니다.

Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done? A. Removed the threat B. Reduced the threat C. Removed the vulnerability D. Reduced the vulnerability

C. By applying the path, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.

What type of security policy often serves as a backstop for issues not addressed in other policies? A. Account management B. Data ownership C. Code of conduct D. Continuous Monitoring

C. The code of conduct is often used as a backstop for employee behavior issues that are not addressed directly by another policy.

Alaina has implemented WPA2 and uses enterprise authentication for access points in infrastructure mode. What encryption protocol is her network using? A. WEP B. TKIP C. CCMP D. IV

C. CCMP is encryption protocol used for WPA2. A block cipher, CCMP provides confidentiality, authentication, and access control features. WEP is the protocol used before WPA, TKIP was used in WPA prior to the use of CCMP in WPA2, and IV is a initialization vector. Alaina가 WPA2를 구현하고 인프라 모드에서 엔터프라이즈 인증을 사용하고 있다면, 그녀의 네트워크는 CCMP 암호화 프로토콜을 사용하고 있습니다. CCMP는 WPA2에서 사용되는 표준 암호화 프로토콜 중 하나로, 안전한 데이터 전송을 보장하기 위해 데이터 암호화와 인증을 결합합니다. 다른 옵션들: A. WEP (Wired Equivalent Privacy)는 더 이상 안전한 암호화로 간주되지 않으며 사용을 권장하지 않습니다. B. TKIP (Temporal Key Integrity Protocol)는 WPA에서 사용되는 암호화 프로토콜이며, WPA2에서는 CCMP가 더 안전한 대체재로 사용됩니다. D. IV (Initialization Vector)는 암호화에서 사용되는 초기 벡터를 나타냅니다. 하지만 IV는 암호화 프로토콜 자체가 아닙니다.

Jim wants to view log entries that describe actions taken by applications on a CentOS Linux system. Which of the following tools can he use on the system to view those logs? A. logger B. syslog-ng C. journalctl D. tail

C. CentOS and Red Har Enterprise Linux both use journalctl to view journal logs that contain application information. Jim should be journalctl to review the logs for the information he needs. The tool also provides functionality that replicates what 'head' and 'tail' can do for logs. Syslog-ng is a logging infrastructure, and though logs may be sent via syslog-ng, it is not mentioned here. logger is a logging utility used to make entries in the system log. CentOS Linux 시스템에서는 systemd를 사용하며, 로그는 systemd의 저널 서비스에 의해 기록됩니다. 따라서 로그를 보기 위해서는 "journalctl" 명령어를 사용합니다. 이 명령어를 사용하면 시스템 로그 및 서비스 로그 등을 검색하고 확인할 수 있습니다. A. "logger": "logger" 명령어는 로그 메시지를 생성하고 시스템 로그에 메시지를 보내는 데 사용됩니다. 그러나 로그 항목을 조회하거나 보기 위한 명령어가 아니므로 이 경우에는 부적합합니다. B. "syslog-ng": "syslog-ng"는 로깅 시스템을 관리하기 위한 고급 로깅 도구 중 하나이며, 로그 메시지를 수집하고 중계하는 데 사용됩니다. 로그 항목을 직접 조회하는 목적으로는 주로 사용되지 않습니다. D. "tail": "tail" 명령어는 파일의 끝에서부터 내용을 출력하는 데 사용됩니다. 로그 파일의 실시간 변경 사항을 모니터링하는 데 유용하지만, 시스템 로그의 전체 내용을 조회하려면 "journalctl"과 같은 도구가 더 적합합니다.

Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns? A. Using secure session management B. Enabling logging on the database C. Performing user input validation D. Implementing TLS

C. Chares should perform user input validation to strip out any SQL code or other unwanted input. Secure session management can help prevent session hijacking, logging may provide useful information for incident investigation, and implementing TLS can help protect network traffic, but only input validation helps with the issue described. SQL 인젝션 공격은 주로 사용자가 입력한 데이터를 악의적인 SQL 코드로 이용하여 데이터베이스에 대한 공격을 시도하는 공격 유형입니다. 이러한 공격을 방지하기 위해서는 사용자 입력 데이터의 유효성을 검사하고, 안전하지 않은 문자나 명령을 필터링하여 데이터베이스로 전달되지 않도록 해야 합니다. 따라서 "Performing user input validation"이 SQL 인젝션 공격에 대한 가장 적절한 대책 중 하나입니다.

Chris wants systems that connect to his network to report their boot processes to a server where they can be validated before being permitted to join the network. What technology should he use to do this on the workstations? A. UEFI/Trusted boot B. BIOS/Trusted boot C. UEFI/Measured boot D. BIOS/Measured boot

C. Chris knows that BIOS-based systems do not support either of these modes, and that trusted boot validates every component before loading it, whereas measured boot logs the boot process and sends it to a server that can validate it before permitting the system to connect to the network or perform other action. UEFI (Unified Extensible Firmware Interface) 및 측정된 부팅 (Measured boot)은 부팅 프로세스를 검증하고 부팅된 운영 체제 및 소프트웨어 구성 요소의 신뢰성을 보장하는 데 사용됩니다. 측정된 부팅은 부팅 과정 중에 부팅된 운영 체제 및 관련 파일의 해시 값을 측정하고 서버로 보고하여 유효성을 검사합니다.

Ben wants to observe malicious behavior targeted at multiple systems on a network. He sets up a variety of systems and instruments to allow him to capture copies of attack tools and to document all the attacks that are conducted. What has he set up? A. A honeypot B. A beartrap C. A honeynet D. A tarpit

C. Honeynet is a group of systems that intentionally exposes vulnerabilities so that defenders can observe attack behaviors, techniques, and tools to help them design better defense.

Kira would like to implement a security control that can implement access restrictions across all of the SaaS solutions used by her organization. What control would best meet her needs? A. Security group B. Resource policy C. CASB D. SWG

C. Cloud access security brokers (CASBs) are designed specifically for this situation: enforcing security controls across cloud providers. A secure web gateway (SWG)may be able to achieve Kira's goal but it would be more difficult to do so. Security groups and resources policies are controls used in IaaS environments. Kira의 요구 사항을 충족하기 위해서는 CASB (Cloud Access Security Broker)와 같은 제어를 사용하는 것이 가장 적합합니다. CASB는 여러 SaaS 솔루션에 대한 액세스 제어와 보안 정책을 중앙에서 관리하고 강화할 수 있습니다. CASB는 클라우드 환경에서 보안 및 규정 준수를 강화하기 위한 중요한 도구 중 하나입니다.

Charles wants to obtain a forensic copy of a running virtual machine. What technique should he use to capture the image? A. Run 'dd' from within the running machine. B. Use FTK Imager from the virtual machine host. C. Use the VM host to create a snapshot D. Use WinHex to create a copy from within the running machine.

C. Creating a snapshot will provide a complete copy of the system, including memory state that can then be analyzed for forensic purposes. Copying a running system from a program running within that system can be problematic, since the system itself will change while it is trying to copy itself. FTK Imager can copy drives and files, but it would be handle a running virtual machine. VM 호스트에서 스냅샷을 만들면 찰스는 특정 시점의 가상 머신 상태를 캡처할 수 있으며 실행 중인 머신의 작동에 영향을 주지 않고 원래 시스템의 상태를 변경하지 않고 포렌식 분석에 사용할 수 있습니다. 이 스냅샷은 원본 시스템의 상태를 변경하지 않고도 포렌식 분석을 위해 사용할 수 있습니다.

In which of the following cloud categories are customers typically charged based on the number of virtual server instances dedicated to their use? A. IaaS only B. SaaS only C. IaaS and PaaS D. Iaas, Saas, and PaaS

C. Customers are typically charged for server instances in both IaaS environments, where they directly provision those instances, and PaaS environments, where they request the number of servers needed to support their applications. In an SaaS environment, the customer typically has no knowledge of the number of server instances supporting their use.

Gary wants to use secure protocols for email access for his end users. Which of the following groups of protocols should he implement to accomplish this task? A. DKIM, DMARC HTTPS B. SPF, POPS, IMAPS C. POPS, IMAPS, HTTPS D. DMARC, DKIM SPF

C. End users may use secure POP (POPS), secure IMAP (IMAPS), and secure HTTP (HTTPS) to retrieve email. SPF, DKIM, and DMARC are used to identify and validate email servers, not to access email by end users.

Alan's team needs to perform computations on sensitive personal information but does not need access to the underlying data. What technology can the team use to perform these calculations without accessing the data? A. Quantum computing B. Blockchain C. Homomorphic encryption D. Certificate pinning

C. Homomorphic encryption technology protects privacy by encrypting the data in a way that preserves the ability to perform computation on that data. - this enables to still perform calculations on their data while protect the privacy of individual data. 호모모픽 암호화는 암호화된 데이터에서 계산을 수행할 수 있게 해주는 암호화 기술입니다. 이를 통해 데이터를 암호화한 상태에서도 원격 서버에서 계산을 수행하고 결과를 얻을 수 있습니다. 따라서 민감한 데이터에 대한 실제 액세스 없이도 계산을 안전하게 수행할 수 있습니다.

Which of the following statements about the security implications of IPv6 is not true? A. Rules based on static IP addresses may not work B. IPv6 reputation services may not be mature and useful C. IPv6's NAT implementation is insecure D. IPv6 traffic may bypass existing security controls

C. IPv6 does not include network address translation (NAT) because there are so many IP addresses available. That means that there is not a NAT implementation, and thus, IPv6 cannot have an insecure version. Rules based on static IPv6 addresses may not work since dynamic addresses are heavily used in IPv6 networks, reputation services remain relatively rare and less useful for IPv6 traffic., and IPv6 traffic may bypass many existing IPv4 security tools. 주어진 문항에서 나열된 서술 중 유일하게 틀린 서술은 "C. IPv6의 NAT 구현은 불안정하다"입니다. 사실, IPv6는 주소 부족 문제를 해결하기 위해 NAT (Network Address Translation)를 필요로하지 않습니다. IPv4에서 주로 사용되는 NAT는 주소 변환을 통해 여러 개의 내부 IP 주소를 한 개의 공인 IP 주소에 매핑하는 방법입니다. 그러나 IPv6은 충분한 IP 주소 공간을 제공하므로 NAT가 필요하지 않습니다. 따라서 IPv6에서 NAT를 구현할 필요가 없으며, NAT는 IPv6에서 불안정하거나 사용되지 않습니다. 다른 서술들은 IPv6의 보안 문제와 관련이 있습니다. IPv6의 도입으로 인해 정적 IP 주소를 기반으로 한 규칙, IPv6 평판 서비스, 그리고 기존 보안 제어가 IPv6 트래픽을 우회할 수 있는 가능성과 관련된 보안 고려 사항이 있습니다.

Which one of the following is NOT an example of infrastructure as a code? A. Defining infrastructure in JSON B. Writing code to interact with a cloud provider's API C. Using a cloud provider's web interface to provision resources D. Defining infrastructure is YAML

C. Infrastructure as code is any approach that automates the provisioning, management, and deprovisioning of cloud resources. Defining resources through JSON or YAML is IaC, as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not automated, and therefore does not qualify as IaC. 인프라스트럭처 코드는 인프라스트럭처 및 리소스를 코드 형태로 정의하고 자동화하는 것을 나타냅니다. 나머지 옵션들은 모두 인프라스트럭처 코드와 관련이 있습니다. A. Defining infrastructure in JSON (JSON으로 인프라스트럭처를 정의하는 것) B. Writing code to interact with a cloud provider's API (클라우드 제공 업체의 API와 상호 작용하기 위한 코드 작성) D. Defining infrastructure is YAML (YAML로 인프라스트럭처를 정의하는 것)

You noticed a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk? A. Reduced the magnitude B. Eliminated the vulnerability C. Reduced the probability D. Eliminated the threat

C. Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.

Isabelle needs to select the EAP protocol that she will use with her wireless network. She wants to use a secure protocol that does not require client devices to have a certificate, but she does want to require mutual authentication. Which EAP protocol should she use? A. EAP-FAST B. EAP-TTLS C. PEAP D. EAP-TLS

C. Isabelle should select PEAP, which does NOT require client certificates but does provide TLS support. EAP-TTLS provides similar functionality but requires additional software to be installed on some devices. EAP-FAST focuses on quick reauthentication, and EAP-TLS requires certificates to be deployed to the endpoint devices. PEAP (Protected Extensible Authentication Protocol)은 안전한 EAP 프로토콜 중 하나로, 클라이언트 디바이스가 인증서를 갖지 않아도 안전한 서버 인증을 수행할 수 있도록 해줍니다. PEAP은 클라이언트와 서버 간에 상호 인증을 수행하며, 보안 속성을 제공하여 사용자 자격 증명을 안전하게 전송합니다. 이 프로토콜은 주로 비즈니스 환경에서 사용되며, 사용자 이름과 암호를 기반으로 인증을 수행하는데, 서버 측에서 클라이언트의 신뢰성을 확인합니다. 다른 옵션들: A. EAP-FAST (EAP-Flexible Authentication via Secure Tunneling): EAP-FAST도 안전한 EAP 프로토콜 중 하나이며, 클라이언트 인증서를 필요로하지 않는 특징을 가지고 있습니다. 하지만 PEAP와는 약간 다른 인증 메커니즘을 사용합니다. B. EAP-TTLS (EAP-Tunneled Transport Layer Security): EAP-TTLS는 클라이언트와 서버 간에 안전한 터널을 설정하여 사용자 인증을 보호합니다. 클라이언트 인증서가 없어도 사용될 수 있습니다. D. EAP-TLS (EAP-Transport Layer Security): EAP-TLS는 클라이언트와 서버 간에 TLS/SSL을 사용하여 상호 인증을 수행하는 안전한 EAP 프로토콜입니다. 클라이언트 인증서가 필요하며, 높은 보안 수준을 제공합니다.

What type of access control scheme best describes the Linux filesystem? A. MAC B. RBAC C. DAC D. ABAC

C. Linux users can change who can read, write, or execute files and directories they own, which is discretionary access control (DAC). Mandatory access control (MAC) would enforce settings set by the systems administrator without users having the rights to make their own decisions. Rule-based access control (RBAC) and attribute-based access control (ABAC) are not a default method for setting rights for the Linux filesystem. Linux 파일 시스템은 주로 DAC (Discretionary Access Control)을 기반으로 합니다. DAC는 사용자 또는 파일 소유자가 파일 또는 디렉터리에 대한 액세스 권한을 자유롭게 관리할 수 있는 체계로, 파일 소유자가 파일에 대한 액세스 권한을 설정하고 관리합니다. 이것은 리눅스 시스템에서 가장 흔한 액세스 제어 형태입니다.

James noticed that a macro virus has been detected on a workstation in his organization. What was the most likely path for the infection? A. A drive-by download via a web browser B. A worm spread the macro virus, C. A user intentionally enabled macros for an infected file D. A remote access Trojan was used to install the macro virus

C. Modern versions of MS Office disable macros by default. For most macro viruses to successfully attack systems, users must enable macros. Social engineering and other techniques are used to persuade users that they want to need to enable macros in infected files, allowing the malicious scripts to run. 매크로 바이러스는 주로 사용자가 악성 매크로가 포함된 문서나 파일을 열고 해당 매크로를 활성화했을 때 감염됩니다. 사용자는 종종 소셜 엔지니어링 기술을 사용하여 악성 문서를 열고 매크로를 활성화할 수 있습니다. 따라서 가장 가능성 있는 감염 경로는 사용자가 감염된 파일의 매크로를 의도적으로 활성화한 경우입니다.

Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test? A. Nmap B. Nessus C. Metasploit D. Nslookup

C. Nmap is a port scanning tool used to enumerate open network ports on a system. Nessus is a vulnerability scanner designed to detect security issues on a system. Nslookup is a DNS information gathering utility. All three of these tools may be used to gather information and detect vulnerabilities. Metasploit is an exploitation framework used to execute and attack and would be better suited for the Attacking and Exploiting phase of a penetration test. 정찰 단계에서는 공격자가 대상 시스템 및 네트워크에 대한 정보를 수집하고 식별하는 단계입니다. Nmap, Nessus 및 Nslookup은 정찰 단계에서 정보 수집 및 시스템 스캐닝에 사용되는 도구입니다. 이러한 도구를 사용하여 대상 시스템 및 네트워크의 포트, 서비스, 취약점 등을 식별합니다. Metasploit은 펜트레이션 테스트의 공격 단계에서 사용되는 도구로, 취약점을 악용하고 악성 코드를 실행하는 데 사용됩니다. 따라서 Metasploit은 정찰 단계에서보다는 공격 단계에서 주로 사용됩니다.

Fred wants to ensure that the administrative interfaces for the switches and routers are protected so that they cannot be accessed by attackers. Which of the following solutions should he recommend as part of his organization's network design? A. NAC B. Trunking C. Out-of-band management D. Port security

C. Out-of-band management places the administrative interface of a switch, router, or other device on a separate network or required direct connectivity to the device to access and manage it. This ensures that an attacker who has access to the network cannot make changes to the network devices. NAC and port security help protect the network itself, whereas trunking is used to combine multiple interfaces, VLANs, or ports together. Out-of-band management은 네트워크 장비의 관리 인터페이스를 네트워크 데이터 트래픽과 분리하여 보안을 강화하는 기술입니다. 관리 인터페이스를 외부 네트워크와 분리함으로써, 내부 네트워크에서 장비 관리를 위해 사용되는 인터페이스가 외부 공격자에 의해 액세스되지 않도록 보호됩니다. 다른 옵션들: A. NAC (Network Access Control): NAC는 네트워크에서 연결된 디바이스의 보안을 관리하고, 인증 및 권한 부여를 통해 네트워크 접근을 제어하는 기술입니다. 그러나 이것은 관리 인터페이스 보호에 직접적으로 적용되는 것은 아닙니다. B. Trunking: Trunking은 스위치와 라우터 간에 VLAN 데이터를 전송하기 위한 특별한 연결 방식을 나타냅니다. 관리 인터페이스 보호와 관련이 없습니다. D. Port security: Port security는 스위치 포트에서 연결된 디바이스의 물리적 보안을 강화하는 데 사용되며, 관리 인터페이스의 보호와 직접적인 관련이 없습니다.

Which one of the following certificate formats is closely associated with Windows binary certificate files? A. DER B. PEM C. PFX D. P7B

C. PFX format is most closely associated with Windows systems that store certificates in binary format, whereas the P7B format is used for windows systems storing files in text format. PFX (Personal Exchange Format) 형식은 Windows 운영 체제에서 주로 사용되는 인증서 형식입니다. PFX 파일은 개인 키와 해당 인증서를 함께 포함하고 있으며, 주로 Windows에서 인증서를 내보낼 때 사용됩니다. PFX 파일은 비밀번호로 보호되어 개인 키와 인증서를 안전하게 저장하고 전송할 수 있도록 도와줍니다.

Frank's organization is preparing to deploy a data loss prevention (DLP) system. What key process should they undertake before they deploy it? A. Attackers may change the baseband frequency used by the devices, causing them to fail B. Attackers may switch the devices to a narrowband radio mode that limits the range of the cellular modems C. Attackers may steal the SIM cards from the devices and use them for their own purposes D. Attackers may clone the SIM cards from the devices to conduct attacks against one-time password systems.

C. Physical theft of SIM cards is the threat that cellular-connected devices may face. Using an integrated SIM rather than a removable SIM, or making the SIM difficult or impossible to access without significant effort, may help. Although cloning SIM cards to help defeat one-time password systems is an actual attacks, IoT devices typically do not use a cellular connection to present a one-time password since no users are involved. Both the narrowband and baseband answers are not concerns in this scenario.

Which one of the following information sources would NOT be considered an OSINT source? A. DNS lookup B. Search engine research C. Port scans D. WHOIS queries

C. Port scans are an active reconnaissance technique that probe target systems and would not be considered Open Source Intelligence (OSINT). Search engine research, DNS lookups, and WHOIS queries are all open source resources. OSINT는 공개된 정보 소스에서 얻은 정보를 활용하는 것을 의미합니다. DNS 조회, 검색 엔진 조사, 그리고 WHOIS 조회는 인터넷에서 공개된 정보를 활용하여 정보를 수집하는 OSINT의 예입니다. 그러나 포트 스캔은 일반적으로 네트워크 내부에서 실행되며, 네트워크의 상태를 확인하거나 서비스의 가용성을 테스트하기 위해 사용되는 활동입니다. 포트 스캔은 외부에서 공개된 정보를 수집하는 것이 아니라, 네트워크 및 시스템 구성을 검사하는 것으로 간주되므로 OSINT 소스로 간주되지 않습니다.

Which one of the following items is NOT normally included in a request for an exception to security policy? A. Description of a compensating control B. Description of the risks associated with the exception C. Proposed revision to the security policy D. Business justification for the exception

C. Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

Naomi wants to provide guidance on how to keep her organization's new machine-learning tools secure. Which of the following is not a common means of securing machine learning algorithms? A. Understand the quality of the source data B. Build a secure working environment for ML developers C. Require third-party review for bias in ML algorithms D. Ensure changes to ML algorithms are reviewed and tested

C. Requiring third-party review of ML algorithms is not a common requirement, but ensuring that you use high-quality source data, that the working environment remains secure, and that changes are reviewed and tested are all common best practices for ML algorithm security.

Scott notices that one of the systems on his network contacted a number of systems via encrypted web traffic, downloaded a handful of files, and then uploaded a large amount of data to a remote system. What type of infection should he look for? A. A keylogger B. A backdoor C. A bot D. A logic bomb

C. The behavior that Scott is seeing are characteristic of a bot infection. The bot was likely contacting command-and-control hosts, then downloading updates and/or additional packages, then uploading data from his organization. He will need to determine if sensitive or important business information was present on the system or accessible from it. Keyloggers will capture keystrokes and user input but would typically require additional malware packages to display this behavior. A logic bomb might activate after an event, but no event is described, and a backdoor is used for remote access. 스콧이 관찰한 활동은 일반적으로 봇(Bot) 또는 좀비 컴퓨터가 특정 명령을 받아 원격 서버 또는 컨트롤러와 통신하고 악성 파일을 다운로드하며 대량의 데이터를 업로드하는 봇 활동을 나타낼 수 있습니다. 봇은 공격자의 명령을 따르고, 주로 대규모 DDoS 공격, 스팸 전송, 데이터 도난 등에 사용됩니다.

Theresa wants to implement an access control scheme that sets permissions based on what the individual's job requires. Which of the following schemes is most suited to this type of implementation? A. ABAC B. DAC C. RBAC D. MAC

C. Role-based access control (RBAC) sets permissions based on an individual's role, which is typically associated with their job. Attribute-based access control (ABAC) is typically matched to attributes other than the job role. Discretionary access control (DAC) and mandatory access control (MAC) are commonly implemented at the operating system level. Theresa가 개인의 직무에 따라 권한을 설정하려면 RBAC (Role-Based Access Control)을 가장 적합한 체계로 선택할 수 있습니다. RBAC는 사용자 역할에 기반하여 권한을 부여하고 관리하는 방식으로, 각 사용자에게 적절한 역할이 할당되며 해당 역할에 필요한 권한이 부여됩니다. 이를 통해 조직은 사용자의 직무 또는 역할에 따라 권한을 자동으로 관리하고 제어할 수 있습니다. A. ABAC (Attribute-Based Access Control, 속성 기반 액세스 제어)은 속성을 기반으로 권한을 부여하는 체계로, 역할에 기반하지 않습니다. B. DAC (Discretionary Access Control, 자유로운 액세스 제어)은 사용자가 파일 또는 리소스에 대한 액세스 권한을 직접 설정하는 방식으로, 직무에 따라 자동으로 관리되지 않습니다. D. MAC (Mandatory Access Control, 의무 액세스 제어)은 레이블 또는 보안 등급을 기반으로 권한을 부여하는 체계로, 역할에 따라 설정되지 않습니다.

What language is STIX based on? A. PHP B. HTML C. XML D. Python

C. STIX is an XML-based language, allowing it to be easily extended and modified while also using standard XML-based editors, readers, and other tools. - STIX (Secured Threat Information eXpression): SML language sponsored by DHS. - XML (Extensive Markup Language): XML(Extensible Markup Language)은 표준 정보 형식을 형성하고 인터넷, 인트라넷 및 다른 곳에서 형식과 정보를 공유하는 유연한 방법 STIX(Structured Threat Information eXpression)는 구조화된 위협 정보 표현을 위한 표준 규격이며 XML(Extensible Markup Language)을 기반으로 합니다. XML은 데이터를 구조화하고 표현하는 데 사용되는 마크업 언어로, STIX는 보안 관련 정보를 공유하고 교환하기 위해 이를 활용합니다.

What factor is a major reason organizations do not use security guards? A. Reliability B. Training C. Cost D. Social Engineering

C. Security guards can be one of the most costly physical security controls over time, making the cost of guards one of the most important deciding factors guiding when and where they will be employed. Reliability, training, and the potential for social engineering are all possible issues with security guards, but none of these is the major driver in the decision process.

Michael wants to log directly to a database while also using TCP and TLS to protect his log information and to ensure it is received. What tool should he use? A. syslog B. rsyslog C. syslog-ng D. journalctl

C. Syslog-ng allows logging directly to common databases, uses TCP, and supports TLS, making it a secure and reliable option. Rsyslog does not allow direct logging to a database, and syslog itself does not provide these functions by default. Michael은 로그 정보를 직접 데이터베이스로 기록하고 동시에 TCP 및 TLS를 사용하여 로그 정보를 보호하고 수신을 보장하려고 합니다. 이러한 요구 사항을 충족시키기 위해 syslog-ng와 같은 도구를 사용할 수 있습니다. syslog-ng는 고급 로그 관리 및 수집 도구로, 로그 데이터를 안전하게 전송하고 데이터베이스에 기록할 수 있도록 다양한 보안 및 전송 옵션을 제공합니다. 다른 옵션들: A. syslog: syslog는 로그 메시지를 기록하는 표준 로그 메시지 전송 프로토콜을 나타냅니다. syslog 자체는 데이터베이스로 직접 로그를 기록하거나 TLS를 사용하여 보호하지 않습니다. B. rsyslog: rsyslog는 syslog의 확장된 버전으로, 로그 메시지의 수집, 전송 및 저장을 지원합니다. 그러나 TLS 기능이나 직접적인 데이터베이스 로깅을 제공하지는 않습니다. D. journalctl: journalctl은 systemd 기반의 리눅스 시스템에서 로그를 조회하는 데 사용되는 명령어입니다. 데이터베이스 저장 및 TLS 전송과 관련된 기능을 제공하지 않습니다.

What ISO standard provides guidance on privacy controls? A. 27002 B. 27001 C. 27701 D. 31000

C. The International Organization for Standardization (ISO) publishes ISO 27701, covering privacy controls. ISO 27001 and 27002 cover cybersecurity, and ISO 31000 covers risk management.

Kevin is configuring a web server to use digital certificates. What technology can he use to allow clients to quickly verify the status of that digital certificate without contacting a remote server? A. CRL B. OCSP C. Certificate Stapling D. Certificate Pinning

C. The Online Certificate Status Protocol (OCSP) provides real-time checking of a digital certificate's status using a remote server. Certificate stapling attaches a current OCSP response to the certificate to allow the client to validate the certificate without contacting the OCSP server. Certificate revocation lists (CRLs) are a slower, outdated approach to managing certificate status. Certificate pinning is used to provide an expected key, not to manage certificate status. Certificate Stapling은 웹 서버가 디지털 인증서의 상태를 빠르게 확인하기 위한 기술입니다. 서버는 디지털 인증서와 함께 인증서 상태 응답을 제공하고, 클라이언트는 웹 사이트에 연결할 때 서버로부터 바로 이 인증서 상태 응답을 수신합니다. 이렇게 하면 클라이언트가 디지털 인증서의 유효성을 확인할 때 원격 서버에 연락하지 않고도 빠르게 확인할 수 있습니다.

Gene recently conducted an assessment and determined that his organization can be without its main transaction database for a maximum of two hours before unacceptable damage occurs to the business. What metric has Gene identified? A. MTBF B. MTTR C. RTO D. RPO

C. The Recovery Time Objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. That is the metric that Gene has identified in this scenario.

The organization that Chris works for has disabled automatic updates. What is the most common reason for disabling automatic updates for organizational systems? A. To avoid disruption of the work process for office workers B. To prevent security breaches due to malicious patches and updates C. To avoid issues with problematic patches and updates D. All of the above

C. The most common reason to disable automatic patching is to avoid issues with problematic or flawed patches and updates. In most environments the needs to patch regularly is accepted and handled for office workers without causing significant disruption. That concern would be different if the system being patched were part of an industrial process or factory production environment. Malicious patches from legitimate sources such as an automatic update repository are exceptionally rare and are not a common concern or driver of this behavior.

Which one of the CVSS metrics would contain information about the number of times that an attacker must successfully authenticate to execute an attack? A. AV B. C C. PR D. AC

C. The privileges required (PR) metric indicates the type of system access that an attacker must have to execute the attack. - AV (Attack vector) metric describes how an attacker would exploit the vulnerability - C (Confidentiality) metric describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability - AC (Attack Complexity) metric describes the difficulty of exploiting the vulnerability - UI (User interaction) metric describes whether the attacker needs to involve another human in the attack - I (Integrity) metric describes the type of information alteration that might occur - A (Availability) metric describes the type of disruption that might occur

Naomi has discovered the following TCP ports open on a system she wants to harden. Which ports are used for unsecure services and thus should be disabled to allow their secure equivalents to continue to be used? 21 22 23 80 443 A. 21, 22, and 80 B. 21 and 80 C. 21, 23, and 80 D. 22 and 443

C. The services listed are: 21 - FTP 22 - SSH 23 - Telnet 24 - HTTP 443 - HTTPS Of these services, SSH and HTTPS are secure options for remote shell access and HTTP. Although secure mode FTP (FTPS) may run on TCP 21, there is not enough information to know for sure, and HTTPS can be used to secure file transfer if necessary. Thus, Naomi's best option is to disable all three likely insecure protocols: FTP. Telnet, and HTTP.

Joe checks his web server logs and sees that someone sent the following query string to an application running on the server: http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ; DROP TABLE Services;-- What type of attack was most likely attempted? A. Cross-site scripting B. Session hijacking C. Parameter pollution D. Man-in-the-middle

C. This query string is indicative of a parameter pollution attack. In this case, it appears that the attacker was waging a SQL injection attack and tried to use parameter pollution to slip the attack past content filtering technology. The two instances of the "ServiceID" parameter in the query string indicate a parameter pollution attempt. 주어진 URL에서 볼 수 있듯이, 공격자는 "serviceID" 매개변수에 여러 값을 할당하고 SQL 인젝션 공격을 시도하는 것처럼 보입니다. 이 공격은 "Parameter pollution" 또는 "매개변수 오염" 공격으로 알려져 있으며, 애플리케이션에서 예상치 않은 동작을 유발하거나 보안 문제를 야기할 수 있습니다. 이 경우에는 SQL 쿼리에 악의적인 코드가 삽입되어 "Services" 테이블을 삭제하려고 시도하고 있습니다.

Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise? A. Vulnerability scanning B. Penetration testing C. Threat hunting D. War driving

C. Threat hunting is an assessment technique that makes an assumption of compromise and then searches the organization for indicators of compromise that confirm the assumption. Vulnerability scanning, penetration testing, and war driving are all assessment techniques that pro be for vulnerabilities but do not assume that a compromise has already taken place. Threat hunting은 조직이 이미 침해되었다고 의심할 때, 시스템 및 네트워크 환경에서 침입자의 흔적을 찾고 확인하기 위해 사용되는 보안 평가 기술입니다. 이것은 보안 분석가가 일반적인 행동 패턴 및 악의적인 활동의 조직 내 증거를 찾고 분석하는 프로세스를 나타냅니다.

Fran's organization uses a Type I hypervisor to implement an IaaS offering that it sells to customers. Which one of the following security controls is least applicable to this environment? A. Customers must maintain security patches on guest operating systems B. The provider must maintain security patches on the hypervisor C. The provider must maintain security patches on the host operating system D. Customers must manage security groups to mediate network access to guest operating systems

C. Type I Hypervisors, also known as bare-metal hypervisors, run directly on top of the physical hardware and, therefore, do not require a host operating system.

What standard allows USB devices like cameras, keyboards and flash drives to be plugged into mobile devices and used as they normally would be? A. OG-USB B. USB-HSM C. USB-OTG D. RCS-USB

C. USB On-the-Go, or USB-OTG, is a standard that allows mobile devices to act as USB hosts, allowing cameras, keyboards, thumb drives, and other USB devices to be used. USB HSM is a USB hardware security module. USB-OTG (USB On-The-Go)는 휴대 기기와 USB 주변 기기 간의 직접적인 연결을 지원하는 표준입니다. 이 표준을 사용하면 모바일 기기 (예: 스마트폰 또는 태블릿)에 USB 주변 기기 (예: 카메라, 키보드, 플래시 드라이브)를 연결하고 사용할 수 있습니다. USB-OTG를 지원하는 모바일 기기는 일반적으로 표준 USB 포트 대신 더 작은 Micro USB 또는 USB-C 포트를 사용합니다. 이를 통해 사용자는 모바일 기기에서 파일을 읽거나 쓰거나 다양한 주변 기기와 상호 작용할 수 있습니다. 다른 옵션들: A. OG-USB (Original USB) 및 D. RCS-USB (RCS USB)는 실제로 존재하지 않는 USB 표준입니다. B. USB-HSM (USB Hardware Security Module)은 USB 기반의 하드웨어 보안 모듈을 나타낼 수 있지만, 이것은 USB 주변 기기의 연결 및 사용과 관련이 없습니다.

Henry wants to check to see if services were installed by an attacker. What commonly gathered organizational data can he use to see if a new service appeared on systems? A. Registry dump from systems throughout his organization B. Firewall logs C. Vulnerability scans D. Flow logs

C. Vulnerability scans are the best way to find new services that are offered by systems. In fact, many vulnerability scanners will flag new services when they appear, allowing administrators to quickly notice unexpected new services. Registry information is not regularly dumped or collected in most organizations. Firewall logs and flow logs could show information about the services being used by systems whose traffic passes through them, but this is less useful and accurate way of identifying new services and would work only if those services were also being used.

Which one of the following techniques would be considered passive reconnaissance? A. Port scans B. Vulnerability scans C. WHOIS lookups D. Footprinting

C. WHOIS lookups are external registries and are an example of open source intelligence (OSINT), which is a passive reconnaissance technique. Port scans, vulnerability scans, and footprinting all require active engagement with the target and are, therefore, active reconnaissance. - footprinting: identify the opreating systems and applicatiosn i use - Port scan: identify open ports on systems - Vulnerability scan: identify exploitable vulnerabilities. WHOIS 조회는 수동 정찰 기법 중 하나로, 도메인 레지스트리 또는 WHOIS 데이터베이스를 검색하여 도메인에 대한 정보를 수집하는 프로세스를 나타냅니다. 이러한 정보에는 도메인 소유자, 등록 날짜, 연락처 정보 등이 포함될 수 있습니다. WHOIS 조회는 공개된 정보를 검색하는 것이므로 공격자에게 식별 정보나 시스템 상태를 노출하지 않는 수동 정찰 기법 중 하나입니다.

David would like to send Mike a message using an asymmetric encryption algorithm. What key should he use to encrypt the message. A. David's Public Key B. David's Private Key C. Mike's public key D. Mike's Private key

C. When encrypting a message using an asymmetric encryption algorithm, the person performing the encryption does so using the recipient's public key. 비대칭 암호화에서 메시지를 암호화할 때는 수신자의 공개 키를 사용합니다. David가 Mike에게 메시지를 보내려면 Mike의 공개 키를 사용하여 메시지를 암호화하고, Mike만이 해당 메시지를 복호화할 수 있습니다. 반대로 Mike가 David에게 안전하게 메시지를 보내려면 David의 공개 키를 사용하여 메시지를 암호화할 것입니다. Private Key (개인 키)는 소유자만 알고 있어야 하며 메시지를 복호화하는 데 사용됩니다.

Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system? A. 1 B. 2 C. 10 D. 11

C. When the 11th employee joins Acme Widgets, they will need a shared secret key with every existing employee. There are 10 existing employees, so 10 new keys are required. 대칭 암호화 시스템에서는 각 쌍의 통신을 위해 별도의 공유 비밀 키가 필요합니다. Acme Widgets에 10명의 직원이 있다면 모든 가능한 직원 쌍에 대한 공유 비밀 키가 필요하므로 10명의 직원 사이의 조합 수인 10개의 새로운 키가 필요합니다. 즉, 새 직원을 추가할 경우 10개의 새로운 키를 추가해야 합니다.

Greg wants to use a tool that can directly edit disks for forensic purposes. What commercial tool could he select from this list? A. dd B. memdump C. WinHex D. df

C. WinHex is a commercial disk editor that provides a number of useful forensic tools that can help with investigations and data recovery. The other tools are open source tools. Greg가 디스크를 직접 편집하여 포렌식 목적으로 사용하려면 "WinHex"라는 상용 도구를 선택할 수 있습니다. 정답: C. WinHex 다른 옵션에 대한 설명: A. "dd"는 리눅스 및 유닉스 환경에서 디스크 복사 및 변환에 사용되는 명령입니다. B. "memdump"는 메모리 덤프를 생성하는 명령 또는 도구가 아닙니다. D. "df" 명령은 디스크 사용량을 표시하는 명령입니다.

What hardware device is used to create the hardware root of trust for modern desktops and laptops? A. System memory B. a HSM C. The CPU D. The TPM

D. A hardware root of trust provides a unique element that means that board or device cannot be replicated. A TPM, or Trusted Platform Module, is commonly used to provide the hardware root of trust. CPUs and system memory are not unique in this way for common desktops and laptops, and an HSM, or hardware security module, is used to create, manage and store cryptographic certificates as well as perform and offload cryptographic operations. 현대 데스크톱 및 랩톱에서 하드웨어 루트 오브 트러스트를 만들기 위해 사용되는 하드웨어 장치는 TPM(Trusted Platform Module)입니다. TPM는 컴퓨터의 하드웨어 루트 오브 트러스트를 구축하고 보안 관련 작업을 수행하는 역할을 합니다. TPM은 주로 보안 관련 기능 및 암호화 키의 저장을 담당하며 시스템 보안을 강화하는 데 중요한 역할을 합니다.

The organization that Lynn works for wants to deploy an embedded system that needs to process data as it comes in to the device without processing delays or other interruptions. What type of solution does Lynn's company need to deploy? A. An MFP B. A HIPS C. An SoC D. An RTOS

D. A real-time operating system (RTOS) is an OS that is designed to handle data as it is fed to the operating system, rather than delaying handling it as other processes and programs are run. Real-time operating systems are used when processes or procedures are sensitive to delays that might occur if responses do not happen immediately. An MFP is a multifunction printer, a HIPS is a host intrusion prevent system, and an SoC is a system on a chip - which is hardware, which might run an RTOS, but the answer does not mention what type of OS the SoC is running. RTOS (Real-Time Operating System)는 실시간 데이터 처리 요구사항을 충족시키기 위한 운영 체제입니다. 실시간 시스템에서는 데이터가 도착하는 대로 즉시 처리되어야 하며, RTOS는 이러한 요구사항을 충족하기 위한 특수한 운영 체제입니다. 다른 보기들에 대한 설명은 다음과 같습니다: A. MFP (Multi-Function Printer): 다기능 프린터로, 데이터 처리와는 관련이 없습니다. B. HIPS (Host-based Intrusion Prevention System): 호스트 기반 침입 방지 시스템으로, 데이터 처리를 보장하는 데 사용되지 않습니다. C. SoC (System on a Chip): 칩 안에 다양한 시스템 구성 요소가 통합된 시스템으로, 데이터 처리와는 관련이 있을 수 있지만, 실시간 처리 요구사항을 충족시키는 데는 RTOS가 더 적합합니다.

Brian is selecting a CASB for his organization and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs? A. Inline CASB B. Outsider CASB C. Comprehensive CASB D. API-based CASB

D. API-based CASB solutions interact directly with the cloud provider through the provider's API. Inline CASB solutions intercept requests between the user and the provider. Outsider and comprehensive are not categories of CASB solutions. API 기반 CASB 접근 방식은 클라우드 제공 업체의 API를 통해 직접 클라우드 서비스와 상호 작용하는 방식을 의미합니다. 이 방식은 클라우드 서비스에 대한 더 직접적인 통제와 감시를 제공하며, 보안 정책 적용 및 이벤트 감지를 용이하게 합니다. A. Inline CASB (인라인 CASB): 네트워크 트래픽 중에 인라인으로 CASB를 배치하여 실시간으로 트래픽을 감시하고 제어하는 방식입니다. B. Outsider CASB (아웃사이더 CASB): 클라우드 트래픽을 감시하고 분석하기 위해 클라우드 애플리케이션의 외부에서 동작하는 CASB입니다. C. Comprehensive CASB (포괄적인 CASB): 모든 유형의 CASB 기능을 통합하여 제공하는 CASB 접근 방식입니다.

Brenda's company provides a managed incident response service to its customers. What term best describes this type of service offering? A. MSP B. PaaS C. SaaS D. MSSP

D. Brenda's company is offering a technology service to customers on a managed basis, making it a managed service provider (MSP). However, this service is a security service, so the term managed security service provider (MSSP) is a better description of the situation. Brenda의 회사는 관리된 사고 대응 서비스를 제공하고 있으므로 이러한 유형의 서비스 제공은 MSSP (Managed Security Service Provider)로 분류됩니다. MSSP는 고객에게 보안 관련 서비스를 제공하는 전문 업체를 나타내며, 이 서비스는 관리된 사고 대응과 같은 다양한 보안 기능을 포함할 수 있습니다.

Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place? A. Cross-site request forgery B. Server-side request forgery C. Command injection D. Buffer overflow

D. Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.

Alaina wants to maintain chain of custody documentation and has created a form. Which of the following is not a common element on a chain of custody form? A. Item identifier number B. Signature of the person transferring the item C. Signature of the person receiving the item D. Method of transport

D. Chain of custody tracks who has an item, how it is collected, where it is stored and how, how it is secured or protected, who collected it, and transfers, but it does not typically include how the items were transported because that is not relevant if the other data is provided.

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanners? A. Domain administrator B. Local administrator C. Root D. Read-only

D. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner. - Credentialed scan typically only retrieve information from target servers and do not make changes to the server itself. Therefore administrators should enforce the principle of least privilege by providing the scanner with a read-only account on the server. This reduces the likelihood of a security incident related to the scanner's credentialed access.

What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser? A. Reflected XSS B. Stored XSS C. Persistent XSS D. DOM-based XSS

D. DOM-based XSS attacks hide the attack code within the Document Object Model. this code would not be visible to someone viewing the HTML source of the page. Other XSS attacks would leave visible traces in the browser. - Reflected XSS: involves injecting malicious executable code into an HTTP response. The malicious script does not reside in the application and does not persist - Stored XSS/Persistent XSS: store cross-site scripting code on a remote web server. They are persistent because they remain on the server even when the attacker isn't actively waging an attack. DOM 기반 XSS 공격은 클라이언트 측 스크립트가 동적으로 DOM (Document Object Model)을 조작하여 공격을 수행하는 공격입니다. 이러한 공격은 일반적으로 HTML 소스 코드 자체에는 직접적인 증거를 남기지 않으므로 HTML 소스 코드를 검사하는 것만으로는 감지하기 어렵습니다.

What type of digital certificate provides the greatest level of assurance that the certificate owner is who they claim to be? A. DV B. OV C. UV D. EV

D. Extended Validation (EV) Certificates provide the highest available level of assurance. The CA issuing an EV certificates that they have verified the identity and authenticity of the certificate subject. EV (확장 검증) 디지털 인증서는 가장 높은 수준의 신뢰를 제공합니다. 이 유형의 인증서는 엄격한 프로세스와 검증을 거쳐 발급되며, 웹 사이트의 소유자가 법인 구조 내에서 확인되었음을 나타내므로 사용자에게 높은 수준의 확신을 제공합니다. EV 디지털 인증서는 주로 금융 기관, 전자 상거래 웹 사이트 등에서 사용되며, 주소 표시 줄에 그린색의 "확인됨" 또는 "확장 검증" 표시와 함께 표시됩니다. 다른 유형의 디지털 인증서로는 DV (도메인 확인), OV (기업 확인), UV (사용자 확인) 등이 있으며, 각각 다른 신뢰 수준을 제공합니다.

What phase in the incident response process leverages indicators of compromise and log analysis as part of a review of events? A. Preparation B. Containment C. Eradication D. Identification

D. Identification phase focuses on using various techniques to analyze events to identify potential incidents. Preparation focuses on building tools, processes, and procedures to respond to incidents. Eradication involves the removal of artifacts related to the incident, and containment limits the scope and impact of the incident. 위 문제는 사고 대응 프로세스의 어떤 단계에서 공격 사례에 대한 식별 및 이벤트 검토가 이루어지는지를 묻는 문제입니다. Preparation (준비): 사전에 보안 정책과 프로시저를 준비하고 리소스 및 도구를 배치하는 단계입니다. Containment (격리): 공격의 확산을 막고 피해 범위를 제한하기 위한 단계입니다. Eradication (근절): 공격자의 접근을 제거하고 시스템에서 해킹된 모든 구성 요소를 제거하는 단계입니다. Identification (식별): 공격 사례를 식별하고 사건을 검토하며, 여기서는 이벤트 로그 및 공격에 대한 조사 결과를 활용하여 공격을 식별하는 과정을 의미합니다. 따라서 올바른 답은 D. Identification입니다.

Mike is sending David an encrypted message using a symmetric encryption algorithm. What key should he use to encrypt the message? A. Mike's public Key B. Mike's Private Key C. David's Public Key D. Shared secret Key

D. In symmetric encryption algorithm, both the sender and the receiver use a shared secret key to encrypt and decrypt the message, respectively. 대칭 암호화에서는 동일한 키를 메시지를 암호화하고 해독하는 데 사용합니다. 따라서 마이크와 대비드는 둘 다 동일한 비밀 키, 즉 "Shared secret Key"를 사용하여 메시지를 암호화하고 해독해야 합니다. 마이크의 공개 키나 비밀 키, 대비드의 공개 키나 비밀 키는 대칭 암호화에서 사용되지 않습니다.

Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal? A. Watermarking B. Pattern recognition C. Host-based D. Network-based

D. In this case, Greg must use a network-based DLP system. Host-based DLP requires the use of agents, which would be installed on guest systems. Greg may use watermarking and/or pattern recognition to identify the sensitive information but he must use network-based DLP to meet his goal. Network-based DLP is dedicated devices that sit on the network and monitor outbound network traffic. - Host-based DLP monitors system configuration and user actions, blocking undesirable action - Watermarking applies tags to sensitive documents and then DLP system can monitor them - Pattern Recognition: watch for telltale signs of sensitive information 설명: 그렉이 무선 네트워크에서 게스트가 민감한 정보를 전송하는 것을 방지하고자 할 때, 네트워크 기반의 데이터 유출 방지 기술이 가장 적합합니다. 네트워크 기반 DLP 시스템은 데이터 전송을 모니터링하고 무선 네트워크 트래픽을 검사하여 민감한 정보의 전송을 차단하거나 허용할 수 있습니다. 이러한 시스템은 네트워크 수준에서 데이터 보호를 제공하므로 무선 네트워크의 게스트에서도 민감한 정보의 유출을 효과적으로 관리할 수 있습니다. 따라서 올바른 답은 D. 네트워크 기반입니다.

Nina's organization uses SSH keys to provide secure access between systems. Which of the following is not a common security concern when using SSH keys? A. Inadvertent exposure of the private key B. Weak passwords/passphrases C. SSH Key sprawl D. Weak encryption

D. Inadvertent exposure of private keys via upload to a service like GitHub; poor handling of the private key in user directories; use of weak or reused passwords and passphrases; and key sprawl, in which keys are used broadly across an organization, are all common concerns. Weak encryption is not a typical concern with the use of SSH, since it implements modern strong encryption. SSH 키를 사용할 때 일반적으로 발생하는 보안 우려로는 다음과 같은 것들이 있습니다. A. Inadvertent exposure of the private key (개인 키의 무심코 노출) B. Weak passwords/passphrases (약한 비밀번호/암호구) C. SSH Key sprawl (SSH 키의 증식) 하지만 D. Weak encryption (약한 암호화)은 SSH 키의 사용과 관련이 없는 보안 우려입니다. SSH 프로토콜 자체는 강력한 암호화를 사용하므로 SSH 키의 암호화 강도는 일반적으로 안전한 수준입니다.

Kathleen wants to set up a system allows access into a high-security zone from a low security zone. What type of solution should she configure? A. VDI B. A container C. A DMZ D. A jump box

D. Jump boxes are systems or servers that are used to provide a presence and access path in a different security zone. VDI is a virtual desktop infrastructure and is used to provide controlled virtual systems for productivity and application presentation among other uses. A container is a way to provide a scalable, predictable application environment without having a full underlying virtual system, and a DMZ is a secure zone exposed to a lower trust level area or population. Kathleen은 "점프 박스" 또는 "바스천 호스트"로도 알려진 시스템을 구성해야 합니다. 점프 박스는 낮은 보안 영역에 위치한 안전한 시스템으로, 높은 보안 영역에 있는 시스템에 액세스하고 관리하는 데 사용됩니다. 이는 두 영역 간의 중개자 역할을 하며, 허가된 사용자가 점프 박스에 연결한 다음 거기서 고보안 영역의 시스템에 액세스할 수 있도록 합니다. 이 접근 방식은 고보안 영역에 직접 액세스를 제한하고 누가 해당 시스템에 액세스할 수 있는지에 대한 추가적인 제어와 모니터링 레이어를 제공하여 보안을 강화합니다.

Which of the following is not a typical security concern with MFPs? A. Exposure of sensitive data from copies and scans B. Acting as a reflector for network attacks C. Acting as an amplifier for network attacks D. Use of weak encryption

D. MFPs, or Multifunction printers, may contain sensitive data from copies or scans; some MFPs have built-in hard drives or other mass storage that can retain data for an extended period of time. They often have weak network security capabilities, making them useful as a reflector or amplifier in some network attacks. Fortunately, if a MFP supports protocols like TLS for web access, they support a reasonably secure implementation of the protocols needed to keep data transfers secure. MFPs는 종종 데이터를 복사하고 스캔하는 과정에서 민감한 정보 누출 (A), 네트워크 공격의 반사기 (B) 또는 증폭기 (C)로 작용할 수 있으며, 약한 암호화 (D) 사용은 보안 문제가 될 수 있습니다.

Matt is updating the organization's threat assessment process. What category of control is Matt implementing? A. Operational B. Technical C. Corrective D. Managerial

D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Threat assessment is an example of one of these activities. Technical Control is in the digital space (firewall, encryption) Operational control is for processes to manage technology in a secure manner (access reviews, log monitoring) 맷이 조직의 위협 평가 프로세스를 업데이트하고 있다면, 이것은 관리적인 제어 범주에 해당합니다. 관리적인 제어는 조직의 정책, 절차 및 지침을 관리하고 조직의 보안 전략을 수립하는 데 사용됩니다. 이러한 제어는 조직의 전반적인 방향과 관리에 관련되어 있으며 위험 관리와 관련된 결정을 내릴 때 중요한 역할을 합니다. 따라서 올바른 답은 D. 관리입니다.

Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need? A. Separation of duties B. Least privilege C. Dual control D. Mandatory Vacations

D. Mandatory vacations are designed to force individuals to take time away from the office to allow fraudulent activity to come to light in their absence. The other controls listed here (separation of duties, least privilege, and dual control) are all designed to prevent, rather than detect, fraud.

Randy wants to prevent DHCP attacks on his network. What secure protocol should he implement to have the greatest impact? A. ARPS B. LDAPS C. SDHCP D. None of the above

D. None of the protocols listed will accomplish Randy's task. In fact, there is no secure DHCP or ARP version, and secure LDAP does not impact DHCP services. DHCP (Dynamic Host Configuration Protocol)은 IP 주소 및 관련 네트워크 설정을 자동으로 할당하는 프로토콜입니다. DHCP 공격을 방지하기 위해 일반적으로 사용되는 프로토콜 중 하나는 ARPS (Address Resolution Protocol Secure)이 아닙니다. LDAPS (Lightweight Directory Access Protocol over TLS/SSL)와 SDHCP (Secure DHCP)는 DHCP 공격을 방지하기 위한 특별한 프로토콜이 아닙니다. DHCP 공격을 방지하려면 일반적으로 다음과 같은 보안 조치를 취할 수 있습니다. DHCP Snooping: 네트워크 스위치에서 DHCP Snooping을 활성화하여 유효한 DHCP 서버가 아닌 잠재적으로 악의적인 DHCP 서버의 패킷을 필터링합니다. Port Security: 스위치 포트에서 MAC 주소 기반의 포트 보안을 설정하여 허용되지 않은 장치의 연결을 방지합니다. 네트워크 접근 제어 리스트 (ACL): 잘 알려진 DHCP 서버의 IP 주소를 제외한 다른 IP 주소에서의 DHCP 패킷을 차단하기 위해 ACL을 구성할 수 있습니다. DHCP 서버 보안 구성: DHCP 서버에서 클라이언트 식별 및 인증을 강화하고, 서버의 보안 구성을 강화하여 악의적인 요청을 거부합니다.

Scott wants to allow users to bring their own credentials to his website so that they can log in using a Google or Microsoft account without giving him their passwords. What protocol can he use that will allow those users to grant the website access to their information? A. Kerberos B. OAuth C. RADIUS D. OpenID

D. OAuth is a protocol designed to allow users to grant third-party sites access to their information without providing that site with their password. It is typically used by OpenID identity providers to provide both authentication and authorization. Neither Kerberos nor RADIUS fits these requirements. - Kerberos: deesigned to operate on untrusted networks and uses authentication to shield its authentication traffic.

Naomi believes that an attacker has compromised a Windows workstation using a fileless malware package. What Windows scripting tool was most likely used to download and execute the malware? A. VBScript B. Python C. Bash D. PowerShell

D. PowerShell is the most likely tool for this type of exploit. VBScript would be used inside an application, and both Bash and Python are more likely to exist on a Linux system. - Powershell: Windows - VBScript: inside application - Bash/Pythons: Linux PowerShell은 Windows 환경에서 스크립트 및 자동화 작업을 수행하는 강력한 도구이며, 악성 소프트웨어가 다운로드하고 실행되는 데 자주 이용됩니다. 파일리스 공격은 디스크에 파일을 저장하지 않고 메모리에서 실행되는 것을 의미하며, PowerShell은 메모리에서 스크립트를 실행하고 다운로드한 악성 코드를 실행하기에 적합한 도구 중 하나입니다.

Ben wants to implement a RAID array that combines both read and write performance while retaining data integrity if a drive fails. Cost is not a concern compared to speed and resilience. What RAID type should he use? A. RAID 1 B. RAID 5 C. RAID 6 D. RAID 10

D. RAID 10 (1+0) combines the benefits and downfalls of both RAID 0 (striping) and RAID 1 (Mirroring). In Ben's case, where speed and resilience are important and cost is not, striped drives with full copies maintained via the mirror is his best option. RAID 5 and RAID 6 have slower performance but can survive a loss of a drive. RAID 1, mirror, provides redundancy and read speeds, but does not improve write speeds.

Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his company's network. How should he describe or classify this malware? A. A worm B. Crypto malware C. A Trojan D. A backdoor

D. Remote access to a system is typically provided by a backdoor. Backdoors may also appear in firmware or even in hardware. None of the other items listed provide remote access by default, although they may have a backdoor as part of a more capable malware package.

Which is the following is not a capability provided by S/MIME when it is used to protect attachments for email? A. Authentication B. Nonrepudiation of the sender C. Message integrity D. Data security for the email header

D. S/MIME is used to protect attachments but does not protect the headers of an email. It does provide authentication, nonrepudiation, and message integrity. S/MIME (Secure/Multipurpose Internet Mail Extensions)는 전자 메일 통신을 보호하기 위한 다양한 기능을 제공하는 이메일 보안 표준 중 하나입니다. 그러나 S/MIME은 전자 메일 헤더의 데이터 보안을 직접 제공하지는 않습니다. S/MIME이 주로 제공하는 주요 기능은 다음과 같습니다. A. 인증: S/MIME을 사용하면 수신자가 디지털 서명을 통해 발신자의 신원을 확인할 수 있습니다. B. 발신자의 부인 방지: S/MIME은 발신자가 나중에 이메일 발송을 부인하지 못하도록 하는 기능을 제공합니다. C. 메시지 무결성: S/MIME은 이메일 메시지와 그 내용이 전송 중에 변경되지 않았음을 보장합니다. S/MIME은 이메일 내용을 보호하고 발신자의 신원을 확인하는 데 중점을 두지만, 전자 메일 헤더 자체의 보안을 구체적으로 다루지는 않습니다. 이메일 헤더에는 전자 메일의 경로 정보, 제목 라인 및 기타 메일의 메타데이터가 포함될 수 있지만, 일반적으로 S/MIME을 사용하여 암호화하거나 서명하지 않습니다. 따라서 정답은 다음과 같습니다. D. 전자 메일 헤더의 데이터 보안

Lucca's organization runs a hybrid datacenter with systems in Microsoft's Azure cloud and in a local facility. Which of the following attacks is one that he can establish controls for in both locations? A. Shoulder surfing B. Tailgating C. Dumpster Diving D. Phishing

D. Shoulder surfing, tailgating, and dumpster diving are all in-person physical attacks and are not something that will be in Lucca's control with a major cloud vendor. Antiphishing techniques can be used regardless of where servers and services are located.

Cindy wants to send threat information via a standardized protocol specifically designed to exchange cyber threat information. What should she choose? A. STIX 1.0 B. OpenIOC C. STIX 2.0 D. TAXII

D. TAXII, the Trusted Automated eXchange of Indicator Information protocol (shared through HTTPS), is specifically designed to communicate cyber threat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language (XML based). TAXII(Trusted Automated Exchange of Indicator Information)는 사이버 위협 정보를 교환하기 위한 표준 프로토콜입니다. TAXII를 사용하면 조직 간에 사이버 보안 지표 및 정보를 안전하게 공유할 수 있습니다. 다른 선택지인 STIX 1.0과 STIX 2.0는 사이버 위협 정보를 구조화하고 교환하기 위한 표준 스키마입니다. OpenIOC는 또 다른 형식의 위협 정보 교환 표준입니다

What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals? A. DHS B. SANS C. CERTS D. ISACs

D. The U.S. government created the Information Sharing and Analysis Centers (ISACs). ISACs help infrastructure owners and operators share threat information, and provide tools and assistance to their members. - 각 기업에서 보안관제를 하면서 개별적으로 얻은 위협 정보가 공유되지 않고, 각 개별적으로 사용되었으나, '정보통신 ISAC', '금융 ISAC', '행정ISAC' 같은 단체를 만들어, 각 단체들끼리 위협 정보를 공유하여 효율적인 사이버 테러를 방어 미국 정부는 ISACs(Information Sharing and Analysis Centers)라고 불리는 조직들을 만들어 특정 수직 분야에서 사이버 보안 정보를 공유하고 협력하는 데 도움을 주고 있습니다. ISACs는 각각의 수직 분야에서 사이버 보안 문제를 공유하고 해결하기 위한 커뮤니티를 형성하는 데 중요한 역할을 합니다.

Which of the following is a memory forensic toolkit that includes memdump? A. FTK Imager B. WinHex C. dd D. Volatility

D. The Volatility Framework is a memory forensics tool kit that includes memdump. FTK Imager does contain a capture memory function, WinHex can dump memory, and dd can be used in a limited fashion to capture memory, but none of these tools builds in a function called memdump. "Volatility"은 메모리 포렌식 툴킷 중 하나로, "memdump"와 관련된 기능을 포함하고 있습니다. 정답: D. Volatility 다른 옵션에 대한 설명: A. "FTK Imager"는 디지털 포렌식 작업을 수행하기 위한 도구 중 하나이지만 "memdump"와 직접 관련되지는 않습니다. B. "WinHex"는 디스크와 파일 시스템 분석을 위한 툴로, 메모리 포렌식 도구와 직접 관련되지는 않습니다. C. "dd" 명령은 리눅스 및 유닉스 환경에서 디스크와 파일 복사에 사용되며, 메모리 포렌식 도구는 아닙니다.

Connor believes that there is an issue between his organization's network and a remote web server, and he wants to verify this by checking each hop along the route. Which tool should he use if he is testing from a Windows 10 system? A. tracert B. route C. traceroute D. pathping

D. The Windows "pathping" tool is specifically designed to show the network latency and loss at each step along a route. The "tracert" tool identifies the path to a remote system, and the "route" command can be used to view, add, and delete routes. "traceroute" is used in Linux, not Windows.

What is the primary concern with SFlow and a large, busy network? A. It may allow buffer overflow attacks against the collector host? B. SFlow is not designed for large or complex networks. C. SFlow puts extreme load on the flow connector host D. SFlow samples only network traffic, meaning that some detail will be lost.

D. The primary concern for analyst who deploy SFlow is often that it samples only data, meaning some accuracy and nuance can be lost in the collection of flow data. Sampling, as well as the implementation methods for SFlow, means that it scales well to handle complex and busy networks. Although vulnerabilities may exist in SFlow connectors, a buffer overflow is not a primary concern for them. SFlow은 네트워크에서 발생하는 데이터 흐름 정보를 샘플링하여 모니터링 및 분석하는 기술입니다. 그러나 SFlow는 트래픽을 샘플링하기 때문에 실제 트래픽의 일부를 놓칠 수 있습니다. 이는 큰 규모 또는 복잡한 네트워크에서 주요 고려 사항 중 하나입니다. 샘플링된 데이터에서 일부 세부 정보가 손실될 수 있으므로 정확한 네트워크 모니터링 및 분석이 어려울 수 있습니다. 다른 옵션들: A. SFlow는 플로우 데이터를 샘플링하므로 버퍼 오버플로 공격과는 직접적인 연관이 없습니다. B. SFlow는 네트워크 규모에 상관없이 사용될 수 있지만 큰 네트워크에서 세부 정보를 샘플링하기 때문에 데이터의 손실이 발생할 수 있습니다. C. SFlow가 플로우 커넥터 호스트에 과도한 부하를 가하도록 설계되지는 않았습니다. SFlow는 효율적인 데이터 샘플링 및 전송 방법을 사용하여 부하를 최소화합니다.

Nancy is concerned that there is a software keylogger on the system she is investigating. What data may have been stolen? A. All files on the system B. All keyboard input C. All files the user accessed while the keylogger was active D. Keyboard and other input from the user

D. Though Keyloggers often focus on keyboard input, other types of input may also be captured. Nancy should worry about any user input that occurred while the keylogger was installed. Keyloggers typically do not target files on systems, although if Nancy finds a keylogger she may want to check for other malware packages with additional capabilities. 소프트웨어 키로거는 주로 사용자의 키보드 입력 및 다른 입력 활동을 기록합니다. 따라서 소프트웨어 키로거가 시스템에 설치되어 있으면 사용자가 키보드를 입력한 내용 및 기타 입력 데이터를 기록하게 됩니다. 선택지 B의 "All keyboard input" (모든 키보드 입력)과 선택지 D의 "Keyboard and other input from the user" (사용자의 키보드 및 기타 입력)는 이러한 동작을 나타냅니다.

What protocol is used to securely wrap many otherwise insecure protocols? A. ISAKMP B. SSL C. IKE D. TLS

D. Transport Layer Security (TLS) is commonly used to wrap (protect_) otherwise insecure protocols. In fact, many of the secure protocols simply add TLS to protect them. ISAKMP and IKE are both used for IPsec and can be used to wrap insecure protocols, but they are not used alone. SSL is no longer used; TLS has almost entirely replaced it, although SSL is still often casually referred to as TLS.

Chuck wants to provide route security for his organization, and he wants to secure the BGP traffic that his routers rely on for route information. What should Chuck do? A. Choose a TLS-enabled version of BGP B. Turn on BGP route protection C. Use signed BGP by adopting certificates for each GBP peer D. None of the above

D. Unfortunately, BGP does not have native security methods, and BGP hijacks continue to appear on the news. Two solutions, SIDR and RPLS, have not been broadly adopted.

What component of virtualization platform is primarily responsible for preventing VM escape attack? A. Administrator B. Guest operating system C. Host operating system D. Hypervisor

D. Virtual Machine (VM) escape vulnerabilities are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude upon the resources assigned to a different virtual machine. The hypervisor is supposed to prevent this type of access by restricting a virtual machine's access to only those resources assigned to that machine. VM 이스케이프 공격은 가상화 환경에서 가상 머신 (VM)의 격리를 벗어나서 호스트 시스템에 액세스하려는 시도입니다. 이러한 종류의 공격을 방지하고 VM의 격리를 유지하는 주요 구성 요소는 하이퍼바이저입니다. 하이퍼바이저는 VM 간의 격리를 관리하고 호스트 시스템 자원에 대한 접근을 제어합니다. 따라서 하이퍼바이저는 VM 이스케이프 공격을 방지하는 주된 방어 기구 중 하나입니다.

A company has connected their wireless access points and have enabled WPS. Which of the following security issues would be associated with this configuration? ❍ A. Brute force ❍ B. Client hijacking ❍ C. Cryptographic vulnerability ❍ D. Spoofing

The Answer: A. Brute force A WPS personal identification number (PIN) was designed to have only 11,000 possible iterations, making a brute force attack possible if the access point doesn't provide any protection against multiple guesses. The incorrect answers: B. Client hijacking The processes of adding a device through WPS occurs well before any app or client is used. C. Cryptographic vulnerability The vulnerability in WPS is based on a limited number of PIN options and not a cryptographic shortcoming. D. Spoofing Spoofing an existing device would not provide access to a WPS-enabled network.

A company would like to securely deploy applications without the overhead of installing a virtual machine for each system. Which of the following would be the BEST way to deploy these applications? ❍ A. Containerization ❍ B. IaaS ❍ C. Proxies ❍ D. CASB

The Answer: A. Containerization Application containerization uses a single virtual machine to use as a foundation for separate application "containers." These containers are implemented as isolated instances, and an application in one container is not inherently accessible from other containers on the system. B. IaaS IaaS (Infrastructure as a Service) is a cloud-based service that provides the basic infrastructure for installing operating systems and applications. By itself, IaaS does not provide any method of application deployments or virtual machines. C. Proxies Proxies can be used as security devices, but they aren't used for deploying application instances without virtual machines D. CASB A CASB (Cloud Access Security Broker) is a cloud security solution to manage visibility, compliance, threat prevention, and other security features for cloud-based applications.

An organization has identified a security breach and has removed the affected servers from the network. Which of the following is the NEXT step in the IR process? ❍ A. Eradication ❍ B. Preparation ❍ C. Recovery ❍ D. Identification ❍ E. Containment

The Answer: A. Eradication The IR (Incident Response) process is preparation, identification, containment, eradication, recovery, and lessons learned. Once a system has been contained, any malware or breached user accounts should be removed from the system. The incorrect answers: B. Preparation Before an incident occurs, you should compile contact information, incident handling hardware and software, analysis resources, and other important tools and policies. C. Recovery The focus of the recovery process is to get all of the systems back to normal. This phase removes malware, deletes breached user accounts, and fixes any vulnerabilities. D. Identification Identification of an event can be challenging, but it usually consists of IPS reports, anti-virus alerts, configuration change notifications, and other indicators. E. Containment In this example, the containment and isolation occurred when the affected servers were removed from the network.

A security manager believes that an employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot. Which of the following could be used to validate this belief? (Select TWO) ❍ A. HIPS ❍ B. UTM appliance logs ❍ C. Web application firewall events ❍ D. Host-based firewall logs ❍ E. Next-generation firewall logs

The Answer: A. HIPS and D. Host-based firewall logs If the laptop is not communicating across the corporate network, then the only evidence of the traffic would be contained on the laptop itself. A HIPS (Host-based Intrusion Prevention System) and host-based firewall logs may contain information about recent traffic flows to systems outside of the corporate network. The incorrect answers: B. UTM appliance logs A unified threat management appliance is commonly located in the core of the network. The use of a cellular hotspot would circumvent the UTM and would not be logged. C. Web application firewall events Web application firewalls are commonly used to protect internal web servers. Outbound Internet communication would not be logged, and anyone circumventing the existing security controls would also not be logged. E. Next-generation firewall logs Although a next-generation firewall keeps detailed logs, any systems communicating outside of the normal corporate Internet connection would not appear in those logs.

A security administrator is updating the network infrastructure to support 802.1X authentication. Which of the following would be the BEST choice for this configuration? ❍ A. LDAP ❍ B. HTTPS ❍ C. SNMPv3 ❍ D. MS-CHAP

The Answer: A. LDAP LDAP (Lightweight Directory Access Protocol) is a common protocol to use for centralized authentication. Other protocols such as RADIUS, TACACS+, or Kerberos would also be valid options for 802.1X authentication. The incorrect answers: B. HTTPS HTTPS (Hypertext Transfer Protocol Secure) is commonly used to encrypt web server communication. HTTPS is not an authentication protocol. C. SNMPv3 SNMPv3 (Simple Network Management Protocol version 3) is used to manage servers and infrastructure devices. SNMP is not an authentication protocol. D. MS-CHAP MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) was commonly used to authenticate devices using Microsoft's Point-toPoint Tunneling Protocol (PPTP). Security issues related to the use of DES (Data Encryption Standard) encryption in MS-CHAP eliminate it from consideration for modern authentication

A network administrator has installed a new access point, but only a portion of the wireless devices are able to connect to the network. Other devices can see the access point, but they are not able to connect even when using the correct wireless settings. Which of the following security features was MOST likely enabled? ❍ A. MAC filtering ❍ B. SSID broadcast suppression ❍ C. 802.1X authentication ❍ D. Anti-spoofing

The Answer: A. MAC filtering Filtering addresses by MAC (Media Access Control) address will limit which devices can connect to the wireless network. If a device is filtered by MAC address, it will be able to see an access point but it will not be able to connect. The incorrect answers: B. SSID broadcast suppression A suppressed SSID (Service Set Identifier) broadcast will hide the name from the list of available wireless networks. Properly configured client devices can still connect to the wireless network, even with the SSID suppression. C. 802.1X authentication With 802.1X authentication, users will be prompted for a username and password to gain access to the wireless network. Enabling 802.1X would not restrict properly configured devices. D. Anti-spoofing Anti-spoofing features are commonly used with routers to prevent communication from spoofed IP addresses. This issue in this question doesn't appear to involve any spoofed addresses

A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup. Which of these keys should the organization place into escrow? ❍ A. Private ❍ B. CA ❍ C. Session ❍ D. Public

The Answer: A. Private With asymmetric encryption, the private key is used to decrypt information that has been encrypted with the public key. To ensure continued access to the encrypted data, the company must have a copy of each private key. B. CA A CA (Certificate Authority) key is commonly used to validate the digital signature from a trusted CA. This is not commonly used for user data encryption. C. Session Session keys are commonly used temporarily to provide confidentiality during a single session. Once the session is complete, the keys are discarded. Session keys are not used to provide long-term data encryption. D. Public In asymmetric encryption, a public key is already available to everyone. It would not be necessary to escrow a public key.

A security administrator is adding additional authentication controls to the existing infrastructure. Which of the following should be added by the security administrator? (Select TWO) ❍ A. TOTP ❍ B. Least privilege ❍ C. Role-based awareness training ❍ D. Separation of duties ❍ E. Job rotation ❍ F. Smart Card

The Answer: A. TOTP and F. Smart Card TOTP (Time-based One-Time Passwords) and smart cards are useful authentication controls when used in conjunction with other authentication factors. The incorrect answers: B. Least privilege Least privilege is a security principle that limits access to resources based on a person's job role. Least privilege is managed through security policy and is not an authentication control. C. Role-based awareness training Role-based awareness training is specialized training that is based on a person's control of data within an organization. This training is not part of the authentication process. D. Separation of duties A security policy that separates duties across different individuals is separation of duties. This separation is not part of the authentication process. E. Job rotation Job rotation is a security policy that moves individuals into different job roles on a regular basis. This rotation is not part of the authentication process.

A security administrator has configured a virtual machine in a screened subnet with a guest login account and no password. Which of the following would be the MOST likely reason for this configuration? ❍ A. The server is a honeypot for attracting potential attackers ❍ B. The server is a cloud storage service for remote users ❍ C. The server will be used as a VPN concentrator ❍ D. The server is a development sandbox for third-party programming projects

The Answer: A. The server is a honeypot for attracting potential attackers A screened subnet is a good location to configure services that can be accessed from the Internet, and building a system that can be easily compromised is a common tactic for honeypot systems. B. The server is a cloud storage service for remote users Although cloud storage is a useful service, configuring storage on a server with an open guest account is not a best practice. C. The server will be used as a VPN concentrator VPN (Virtual Private Networking) concentrators should be installed on secure devices, and configuring an open guest account would not be considered a secure configuration. D. The server is a development sandbox for third-party programming projects It would not be secure to configure a development sandbox on a system with an open guest account

A corporate security team would like to consolidate and protect the private keys across all of their web servers. Which of these would be the BEST way to securely store these keys? ❍ A. Use an HSM ❍ B. Implement full disk encryption on the web servers ❍ C. Use a TPM ❍ D. Upgrade the web servers to use a UEFI BIOS

The Answer: A. Use an HSM An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices. B. Implement full disk encryption on the web servers Full-disk encryption would only protect the keys if someone does not have the proper credentials, and it won't help consolidate all of the web server keys to a central point. C. Use a TPM A TPM (Trusted Platform Module) is used on individual devices to provide cryptographic functions and securely store encryption keys. Individual TPMs would not provide any consolidation of web server private keys. D. Upgrade the web servers to use a UEFI BIOS A UEFI (Unified Extensible Firmware Interface) BIOS (Basic Input/ Output System) does not provide any additional security or consolidation features for web server private keys.

A network administrator would like each user to authenticate with their personal username and password when connecting to the company's wireless network. Which of the following should the network administrator configure on the wireless access points? ❍ A. WPA2-PSK ❍ B. 802.1X ❍ C. WPS ❍ D. WPA2-AES

The Answer: B. 802.1X 802.1X uses a centralized authentication server, and all users can use their normal credentials to authenticate to an 802.1X network. The incorrect answers: A. WPA2-PSK The PSK (Pre-shared Key) is the shared password that this network administration would like to avoid using in the future. C. WPS WPS (Wi-Fi Protected Setup) connects users to a wireless network using a shared PIN (Personal Identification Number). D. WPA2-AES WPA2 (Wi-Fi Protected Access 2) encryption with AES (Advanced Encryption Standard) is a common encryption method for wireless networks, but it does not provide any centralized authentication functionality

Which of the following would be commonly provided by a CASB? (Select TWO) ❍ A. List of all internal Windows devices that have not installed the latest security patches ❍ B. List of applications in use ❍ C. Centralized log storage facility ❍ D. List of network outages for the previous month ❍ E. Verification of encrypted data transfers ❍ F. VPN connectivity for remote users

The Answer: B. A list of applications in use E. Verification of encrypted data transfers A CASB (Cloud Access Security Broker) can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal standards and the monitoring and identification of threats. The incorrect answers: A. List of all internal Windows devices that have not installed the latest security patches A CASB focuses on policies associated with cloud-based services and not internal devices. C. Centralized log storage facility Using Syslog to centralize log storage is most commonly associated with a SIEM (Security Information and Event Manager). D. List of network outages for the previous month A network availability report would be outside the scope of a CASB. F. VPN connectivity for remote users VPN concentrators are commonly used to provide security connectivity for remote users

A security manager has created a report showing intermittent network communication from external IP addresses to certain workstations on the internal network. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns? ❍ A. ARP poisoning ❍ B. Backdoor ❍ C. Polymorphic virus ❍ D. Trojan horse

The Answer: B. Backdoor A backdoor would allow an attacker to access a system at any time without any user intervention. If there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer and examine it for signs of a compromised system. A. ARP poisoning ARP (Address Resolution Protocol) poisoning is a local exploit that is often associated with a man-in-the-middle attack. The attacker must be on the same local IP subnet as the victim, so this is not often associated with an external attack. C. Polymorphic virus Polymorphic viruses will modify themselves each time they are downloaded. Although a virus could potentially install a backdoor, a polymorphic virus would not be able to install itself without user intervention. D. Trojan horse A Trojan horse is malware that is hidden inside of a seemingly harmless application. Once the Trojan horse is executed, the malware will be installed onto the victim's computer. Trojan horse malware could possibly install backdoor malware, but the Trojan horse itself would not be the reason for these traffic patterns.

A security administrator has found a keylogger installed alongside an update of accounting software. Which of the following would prevent the transmission of the collected logs? ❍ A. Prevent the installation of all software ❍ B. Block all unknown outbound network traffic at the Internet firewall ❍ C. Install host-based anti-virus software ❍ D. Scan all incoming email attachments at the email gateway

The Answer: B. Block all unknown outbound network traffic at the Internet firewall Keylogging software has two major functions; record keystrokes, and transmit those keystrokes to a remote location. Local file scanning and software best-practices can help prevent the initial installation, and controlling outbound network traffic can block unauthorized file transfers. The incorrect answers: A. Prevent the installation of all software Blocking software installations may prevent the initial malware infection, but it won't provide any control of outbound keylogged data. C. Install host-based anti-virus software A good anti-virus application can identify malware before the installation occurs, but anti-virus does not commonly provide any control of network communication. D. Scan all incoming email attachments at the email gateway Malware can be installed from many sources, and sometimes the source is unexpected. Scanning or blocking executables at the email gateway can help prevent infection but it won't provide any control of outbound file transfers.

A manufacturing company would like to track the progress of parts as they are used on an assembly line. Which of the following technologies would be the BEST choice for this task? ❍ A. Quantum computing ❍ B. Blockchain ❍ C. Hashing ❍ D. Asymmetric encryption

The Answer: B. Blockchain The ledger functionality of a blockchain can be used to track or verify components, digital media, votes, and other physical or digital objects. The incorrect answers: A. Quantum computing Quantum computing uses quantum theory to perform high-speed calculations. Quantum computing doesn't inherently provide any tracking mechanisms. C. Hashing Cryptographic hashes are commonly used to provide integrity verifications, but they don't necessarily include any method of tracking components on an assembly line. D. Asymmetric encryption Asymmetric encryption uses different keys for encryption and decryption. Asymmetric encryption does not provide any method for tracking objects on an assembly line.

A transportation company has moved their reservation system to a cloud-based infrastructure. The security manager would like to monitor data transfers, identify potential threats, and ensure that all data transfers are encrypted. Which of the following would be the BEST choice for these requirements? ❍ A. VPN ❍ B. CASB ❍ C. NGFW ❍ D. DLP

The Answer: B. CASB A CASB (Cloud Access Security Broker) is used to implement and manage security policies when working in a cloud-based environment. The incorrect answers: A. VPN A VPN (Virtual Private Network) can provide an encrypted tunnel for data transfers, but it doesn't provide any monitoring or threat identification. C. NGFW An NGFW (Next-Generation Firewall) is a useful security tool, but it doesn't provide any cloud-based security policy monitoring. D. DLP DLP (Data Loss Prevention) can monitor data to prevent the transfer of sensitive information, but it doesn't identify threats or force the transfer of encrypted data.

Which of the following would be the BEST way to determine if files have been modified after the forensics data acquisition process has occurred? ❍ A. Use a tamper seal on all storage devices ❍ B. Create a hash of the data ❍ C. Create an image of each storage device for future comparison ❍ D. Take screenshots of file directories with file sizes

The Answer: B. Create a hash of the data A hash will create a unique value that can be quickly validated at any time in the future. If the hash value changes, then the data must have also changed. The incorrect answers: A. Use a tamper seal on all storage devices A physical tamper seal will identify if a device has been opened, but it cannot identify any changes to the data on the storage device. C. Create an image of each storage device for future comparison A copy of the data would allow for comparisons later, but the process of doing the comparison would take much more time than validating a hash value. It's also possible that someone could tamper with both the original data and the copy of the data. D. Take screenshots of file directories with file sizes It's very easy to change the contents of a file without changing the size of the file.

An application developer is creating a mobile device app that will include extensive encryption and decryption. Which of the following technologies would be the BEST choice for this app? ❍ A. AES ❍ B. Elliptic curve ❍ C. Diffie-Hellman ❍ D. PGP

The Answer: B. Elliptic curve ECC (Elliptic Curve Cryptography) uses smaller keys than non-ECC encryption and has smaller storage and transmission requirements. These characteristics make it an efficient option for mobile devices. The incorrect answers: A. AES AES (Advanced Encryption Standard) is a useful encryption cipher, but the reduced overhead of elliptic curve cryptography is a better option for this scenario. C. Diffie-Hellman Diffie-Hellman is a key-agreement protocol, and Diffie-Hellman does not provide for any encryption or authentication. D. PGP PGP's public-key cryptography requires much more overhead than the elliptic curve cryptography option.

Daniel, a system administrator, believes that certain configuration files on a Linux server have been modified from their original state. Daniel has reverted the configurations to their original state, but he would like to be notified if they are changed again. Which of the following would be the BEST way to provide this functionality? ❍ A. HIPS ❍ B. File integrity check ❍ C. Application allow list ❍ D. WAF

The Answer: B. File integrity check A file integrity check (i.e., Tripwire, System File Checker, etc.) can be used to monitor and alert if there are any changes to a file. The incorrect answers: A. HIPS HIPS (Host-based Intrusion Prevention System) would help identify any security vulnerabilities, but there's nothing relating to this issue that would indicate that this issue was caused by an operating system or application vulnerability. A HIPS would not commonly alert on the modification of a specific file. C. Application allow list In this example, we're not sure how the file was changed or if a separate application or editor was even used. If the change was made with a valid application, an allow list would not provide any feedback or alerts. D. WAF A WAF (Web Application Firewall) is used to protect web-based applications from malicious attack. The example in this question was not related to a web-based application.

An organization has developed an in-house mobile device app for order processing. The developers would like the app to identify revoked server certificates without sending any traffic over the corporate Internet connection. Which of the following MUST be configured to allow this functionality? ❍ A. CSR ❍ B. OCSP stapling ❍ C. Key escrow ❍ D. Hierarchical CA

The Answer: B. OCSP stapling The use of OCSP (Online Certificate Status Protocol) requires communication between the client and the CA that issued a certificate. If the CA is an external organization, then validation checks will communicate across the Internet. The certificate holder can verify their own status and avoid client Internet traffic by storing the status information on an internal server and "stapling" the OCSP status into the SSL/TLS handshake. The incorrect answers: A. CSR A CSR (Certificate Signing Request) is used during the key creation process. The public key is sent to the CA to be signed as part of the CSR. C. Key escrow Key escrow will provide a third-party with access to decryption keys. The escrow process is not involved in real-time server revocation updates. D. Hierarchical CA A hierarchical CA design will create intermediate CAs to distributed the certificate management load and minimize the impact if a CA certificate needs to be revoked. The hierarchical design is not involved in the certification revocation check process

Which of the following BEST describes the modification of application source code that removes white space, shortens variable names, and rearranges the text into a compact format? ❍ A. Confusion ❍ B. Obfuscation ❍ C. Encryption ❍ D. Diffusion

The Answer: B. Obfuscation Obfuscation is the process of taking something that is normally understandable and making it very difficult to understand. Many developers will obfuscate their source code to prevent others from following the logic used in the application. The incorrect answers: A. Confusion Confusion is a concept associated with data encryption where the encrypted data is drastically different than the plaintext. C. Encryption Encrypting source code will effectively make it impossible to use unless you have the decryption key. In this example, the source code remained usable, but the readability of the source code was dramatically affected by the changes. D. Diffusion Diffusion is an encryption concept where changing one character of the input will cause many characters to change in the output.

Jack, a security administrator, has been tasked with hardening all of the internal web servers to prevent on-path attacks and to protect the application traffic from protocol analysis. These requirements should be implemented without changing the configuration on the client systems. Which of the following should Jack include in his project plan? (Select TWO) ❍ A. Add DNSSEC records on the internal DNS servers ❍ B. Use HTTPS over port 443 for all server communication ❍ C. Use IPsec for client connections ❍ D. Create a web server certificate and sign it with the internal CA ❍ E. Require FTPS for all file transfers

The Answer: B. Use HTTPS over port 443 for all server communication, and D. Create a web server certificate and sign it with the internal CA Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol will ensure that all network communication is protected between the web server and the client devices. If someone manages to capture the network traffic, they would be viewing encrypted data. A signed certificate from a trusted internal CA (Certificate Authority) allows web browsers to trust that the web server is the legitimate server endpoint. If someone attempts an on-path attack, the certificate presented will not validate and a warning message will appear in the browser. The incorrect answers: A. Add DNSSEC records on the internal DNS servers DNSSEC (Domain Name System Security Extensions) records are useful to validate the IP address of a device, but they would not prevent an on-path attack. DNSSEC also doesn't provide any security of the network communication itself. C. Use IPsec for client connections IPsec (IP Security) would provide encrypted communication, but it is not commonly used between a web client and web server. It would also require additional configuration changes on the client devices. E. Require FTPS for all file transfers Web server communication occurs with HTTP or the encrypted HTTPS protocols. The FTPS (File Transfer Protocol Secure) protocol is not commonly used between web clients and servers.

A file server has a full backup performed each Monday at 1 AM. Incremental backups are performed at 1 AM on Tuesday, Wednesday, Thursday, and Friday. The system administrator needs to perform a full recovery of the file server on Thursday afternoon. How many backup sets would be required to complete the recovery? ❍ A. 2 ❍ B. 3 ❍ C. 4 ❍ D. 1

The Answer: C. 4 Each incremental backup will archive all of the files that have changed since the last full or incremental backup. To complete this full restore, the administrator will need the full backup from Monday and the incremental backups from Tuesday, Wednesday, and Thursday. The incorrect answers: A. 2 If the daily backup was differential, the administrator would only need the full backup and the differential backup from Thursday. B. 3 Since the incremental backup only archives files that have changed, he will need all three daily incremental backups as well as Monday's full backup. D. 1 To recover incremental backups, you'll need the full backup and all incremental backups since the full backup.

Which of the following would be the best way to describe the estimated number of laptops that might be stolen in a fiscal year? ❍ A. ALE ❍ B. SLE ❍ C. ARO ❍ D. MTTR

The Answer: C. ARO The ARO (Annualized Rate of Occurrence) describes the number of instances that an event would occur in a year. For example, if the organization expect to lose seven laptops to theft in a year, the ARO for laptop theft is seven. The incorrect answers: A. ALE The ALE (Annual Loss Expectancy) is the expected cost for all events in a single year. If it costs $1,000 to replace a single laptop (the SLE) and you expect to lose seven laptops in a year (the ARO), the ALE for laptop theft is $7,000. B. SLE SLE (Single Loss Expectancy) is the monetary loss if a single event occurs. If one laptop is stolen, the cost to replace that single laptop is the SLE, or $1,000. D. MTTR MTTR (Mean Time to Repair) is the time required to repair a product or system after a failure.

A security administrator has identified the installation of a RAT on a database server and has quarantined the system. Which of the following should be followed to ensure that the integrity of the evidence is maintained? ❍ A. Perfect forward secrecy ❍ B. Non-repudiation ❍ C. Chain of custody ❍ D. Legal hold

The Answer: C. Chain of custody A chain of custody is a documented record of the evidence. The chain of custody also documents the interactions of every person who comes into contact with the evidence. The incorrect answers: A. Perfect forward secrecy Perfect forward secrecy (PFS) is an encryption technique that limits the use of session keys. PFS is not used to insure the integrity of evidence. B. Non-repudiation Non-repudiation ensures that the author of a document cannot be disputed. Non-repudiation does not provide any method of tracking and managing digital evidence. D. Legal hold A legal hold is a technique for preserving important evidence, but it doesn't provide any mechanism for the ongoing integrity of that evidence

A security administrator would like to test a server to see if a specific vulnerability exists. Which of the following would be the BEST choice for this task? ❍ A. FTK Imager ❍ B. Autopsy ❍ C. Metasploit ❍ D. Netcat

The Answer: C. Metasploit Metasploit is an exploitation framework that can use known vulnerabilities to gain access to remote systems. Metasploit performs penetration tests and can verify the existence of a vulnerability. The incorrect answers: A. FTK Imager FTK Imager is a third-party storage drive imaging tool and it can support many different drive types and encryption methods. FTK Imager will not identify software vulnerabilities. B. Autopsy Autopsy is a forensics tool that can view and recover data from storage devices. Autopsy does not identify operating system or application vulnerabilities. D. Netcat Netcat is a utility that can read and write data to the network. Netcat would not be the best choice for identifying system vulnerabilities.

An online retailer is planning a penetration test as part of their PCI DSS validation. A third-party organization will be performing the test, and the online retailer has provided the Internet-facing IP addresses for their public web servers but no other details. What penetration testing methodology is the online retailer using? ❍ A. Known environment ❍ B. Passive footprinting ❍ C. Partially known environment ❍ D. Ping scan

The Answer: C. Partially known environment A partially known environment test is performed when the attacker knows some information about the victim, but not all information is available. The incorrect answers: A. Known environment A known environment test is performed when the attacker has complete details about the victim's systems and infrastructure. B. Passive footprinting Passive footprinting is the process of gathering information from publicly available sites, such as social media or corporate websites. D. Ping scan A ping scan is a type of network scan that can identify devices connected to the network. A ping scan is not a type of penetration test.

A system administrator has protected a set of system backups with an encryption key. The system administrator used the same key when restoring files from this backup. Which of the following would BEST describe this encryption type? ❍ A. Asymmetric ❍ B. Key escrow ❍ C. Symmetric ❍ D. Out-of-band key exchange

The Answer: C. Symmetric Symmetric encryption uses the same key for both encryption and decryption. The incorrect answers: A. Asymmetric Asymmetric encryption uses different keys for encryption and decryption. B. Key escrow Key escrow is when a third-party holds the decryption keys for your data. D. Out-of-band key exchange Keys can be transferred between people or systems over the network (inband) or outside the normal network communication (out-of-band). In this example, the key wasn't exchanged between people or systems, since the system administrator is the same person who encrypted and decrypted.

A system administrator would like to segment the network to give the marketing, accounting, and manufacturing departments their own private network. The network communication between departments would be restricted for additional security. Which of the following should be configured on this network? ❍ A. VPN ❍ B. RBAC ❍ C. VLAN ❍ D. NAT

The Answer: C. VLAN A VLAN (Virtual Local Area Network) is a common method of logically segmenting a network. The devices in each segmented VLAN can only communicate with other devices in the same VLAN. A router is used to connect VLANs, and this router can often be used to control traffic flows between VLANs. The incorrect answers: A. VPN A VPN (Virtual Private Network) is an encryption technology that can be used to secure network connections between sites or remote enduser communication. VPNs are not commonly used to segment internal network communication. B. RBAC RBAC (Role-Based Access Control) describes a control mechanism for managing rights and permissions in an operating system. RBAC is not used for network segmentation. D. NAT NAT (Network Address Translation) is used to modify the source or destination IP address or port number of a network traffic flow. NAT would not be used when segmenting internal networks.

A company hires a large number of seasonal employees, and their system access should normally be disabled when the employee leaves the company. The security administrator would like to verify that their systems cannot be accessed by any of the former employees. Which of the following would be the BEST way to provide this verification? ❍ A. Confirm that no unauthorized accounts have administrator access ❍ B. Validate the account lockout policy ❍ C. Validate the processes and procedures for all outgoing employees ❍ D. Create a report that shows all authentications for a 24-hour period

The Answer: C. Validate the processes and procedures for all outgoing employees The disabling of an employee account is commonly part of the offboarding process. One way to validate an offboarding policy is to perform an audit of all accounts and compare active accounts with active employees The incorrect answers: A. Confirm that no unauthorized accounts have administrator access It's always a good idea to periodically audit administrator accounts, but this audit won't provide any validation that all former employee accounts have been disabled. B. Validate the account lockout policy Account lockouts occur when a number of invalid authentication attempts have been made to a valid account. Disabled accounts would not be locked out because they are not currently valid accounts. D. Create a report that shows all authentications for a 24-hour period A list of all authentications would be quite large, and it would not be obvious to see which authentications were made with valid accounts and which authentications were made with former employee accounts

A manufacturing company has moved an inventory application from their internal systems to a PaaS service. Which of the following would be the BEST way to manage security policies on this new service? ❍ A. DLP ❍ B. SIEM ❍ C. IPS ❍ D. CASB

The Answer: D. CASB A CASB (Cloud Access Security Broker) is used to manage compliance with security policies when using cloud-based applications. The incorrect answers: A. DLP DLP (Data Loss Prevention) can identify and block PII (Personally Identifiable Information) and other private details from being transferred across the network. B. SIEM A SIEM (Security Information and Event Manager) is a management system for log consolidation and reporting. A SIEM cannot managed cloud-based security policies. C. IPS An IPS (Intrusion Prevention System) can identify and block known vulnerabilities on the network, but it does not provide policy management for cloud-based systems.

A recent report shows the return of a vulnerability that was previously patched four months ago. After researching this issue, the security team has found that a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator implement to prevent this issue from occurring in the future? ❍ A. Templates ❍ B. Elasticity ❍ C. Master image ❍ D. Continuous monitoring

The Answer: D. Continuous monitoring It's common for organizations to continually monitor services for any changes or issues. A nightly vulnerability scan across important servers would identify issues like this one. A. Templates Templates can be used to easily build the basic structure of an application instance. These templates are not used to identify or prevent the introduction of vulnerabilities. B. Elasticity Elasticity is important when scaling resources as the demand increases or decreases. Unfortunately, elasticity will not help with the identification of vulnerabilities. C. Master image A master image is used to quickly copy a server for easy deployment. This image will need to be updated and maintained to prevent the issues associated with unexpected vulnerabilities

An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data? ❍ A. Data processor ❍ B. Data owner ❍ C. Privacy officer ❍ D. Data custodian

The Answer: D. Data custodian The data custodian manages access rights and sets security controls to the data. The incorrect answers: A. Data processor The data processor manages the operational use of the data, but not the rights and permissions to the information. B. Data owner The data owner is usually a higher-level executive who makes business decisions regarding the data. C. Privacy officer A privacy officer sets privacy policies and implements privacy processes and procedures.

When a home user connects to the corporate VPN, they are no longer able to print to their local network printer. Once the user disconnects from the VPN, the printer works normally. Which of the following would be the MOST likely reason for this issue? ❍ A. The VPN uses IPSec instead of SSL ❍ B. Printer traffic is filtered by the VPN client ❍ C. The VPN is stateful ❍ D. The VPN tunnel is configured for full tunnel

The Answer: D. The VPN tunnel is configured for full tunnel A split tunnel is a VPN (Virtual Private Network) configuration that only sends a portion of the traffic through the encrypted tunnel. A split tunnel would allow work-related traffic to securely traverse the VPN, and all other traffic would use the non-tunneled option. In this example, the printer traffic is being redirected through the VPN instead of the local home network because of the non-split/full tunnel. A. The VPN uses IPSec instead of SSL There are many protocols that can be used to send traffic through an encrypted tunnel. IPsec is commonly used for site-to-site VPN connections, and SSL (Secure Sockets Layer) is commonly used for enduser VPN connections. However, either protocol can technically be used for any VPN tunnel, and the choice of protocol would have no difference on the operation of the local printer. B. Printer traffic is filtered by the VPN client VPN clients are usually tasked with sending traffic unfiltered through the encrypted tunnel. Although data could be filtered at some point along the communication path, it's not commonly filtered by the VPN client. C. The VPN is stateful A stateful communication is commonly associated with firewalls, and it refers to the firewall's ability to track traffic flows. Stateful communication would not be a technology commonly associated with a VPN, and it would not be part of the user's printing issue.

A security administrator attends an annual industry convention with other security professionals from around the world. Which of the following attacks would be MOST likely in this situation? ❍ A. Smishing ❍ B. Supply chain ❍ C. Impersonation ❍ D. Watering hole

The Answer: D. Watering hole A watering hole attack infects a third-party visited by the intended victims. An industry convention would be a perfect location to attack security professionals. The incorrect answers: A. Smishing Smishing, or SMS phishing, is a phishing attack over text messaging. A security administrator attending an industry event would not be the best possible scenario for smishing. B. Supply chain A supply chain attack infects part of the product manufacturing process in an attempt to also infect everything further down the chain. An industry trade event would not be a common vector for a supply chain attack. C. Impersonation Impersonation attacks use misdirection and pretext to allow an attacker to pretend they are someone else. An industry trade show is not a common environment for an impersonation attack.

Vala, a security analyst, has received an alert from her IPS regarding active exploit attempts from the Internet. Which of the following would provide detailed information about these exploit attempts? ❍ A. Netstat ❍ B. Nmap ❍ C. Nessus ❍ D. Wireshark

The Answer: D. Wireshark Wireshark is a protocol analyzer, and it can provide information about every frame that traverses the network. From a security perspective, the protocol decode can show the exploitation process and details about the payloads used during the attempt. The incorrect answers: A. Netstat The netstat command can display connectivity information about a device, but it won't provide any additional details about an exploit attempt. B. Nmap An Nmap scan is a useful tool for understanding the potential exploit vectors of a device, but it won't show information about an active exploitation attempt. C. Nessus Nessus is a vulnerability scanner that can help identify potential exploit vectors, but it's not useful for showing active exploitation attempts by a third-party.

A security administrator needs to identify all references to a Javascript file in the HTML of a web page. Which of the following tools should be used to view the source of the web page and search through the file for a specific filename? (Select TWO) ❍ A. tail ❍ B. openssl ❍ C. scanless ❍ D. grep ❍ E. Nmap ❍ F. curl ❍ G. head

The Answer: D. grep and F. curl The curl (Client URL) command will retrieve a web page and display it as HTML at the command line. The grep command can then be used to search through the file for a specific string of text The incorrect answers: A. tail The tail command will display the information at the end of a file. B. openssl OpenSSL is a cryptography library that is commonly used to support SSL/TLS encryption on web servers. C. scanless Scanless is a utility that can perform a port scan using a proxy service. E. Nmap The Nmap utility is a popular port scanning and reconnaissance utility. G. head The head command will display the information at the start of a file.

Which password attack bypasses account-lockout policies? A. Birthday attack B. Spraying attack C. Dictionary attack D. Replay attack

The correct answer is B. Spraying attack. Here's an explanation of the answers: A. Birthday Attack: The Birthday Attack is a cryptographic attack used to find collisions in hash functions efficiently. It is unrelated to password attacks and does not bypass account-lockout policies. B. Spraying Attack: A Spraying Attack is a type of brute force attack where an attacker tries a small number of commonly used passwords (or a few variations of the same password) against a large number of accounts. Since it doesn't involve trying a massive number of password combinations for a single account, it may bypass account-lockout policies that are designed to lock an account after a certain number of failed login attempts. This is because the attacker spreads their attempts across many accounts, making it less likely that any single account will trigger the lockout. C. Dictionary Attack: A Dictionary Attack is a type of attack where an attacker systematically tries a predefined list of commonly used passwords against a single account or a list of accounts. It may or may not bypass account-lockout policies depending on how it is executed. If it's carried out against a single account, it might trigger account lockout. However, if the attacker is using a dictionary attack against multiple accounts (similar to a spraying attack), it can also bypass account-lockout policies. D. Replay Attack: A Replay Attack is a different type of attack where an attacker intercepts and retransmits valid data communication, such as authentication requests, to gain unauthorized access. It is not typically associated with bypassing account-lockout policies.

An organization is installing a UPS for their new data center. Which of the following would BEST describe this type of control? ❍ A. Compensating ❍ B. Preventive ❍ C. Managerial ❍ D. Detective

the Answer: A. Compensating A compensating security control doesn't prevent an attack, but it does restore from an attack using other means. In this example, the UPS does not stop a power outage, but it does provide alternative power if an outage occurs The incorrect answers: B. Preventive A preventive control physically limits access to a device or area. C. Managerial A managerial control sets a policy that is designed to control how people act. D. Detective A detective control may not prevent access, but it can identify and record any intrusion attempts

A system administrator, Daniel, is working on a contract that will specify a minimum required uptime for a set of Internet-facing firewalls. Daniel needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information? ❍ A. MTBF ❍ B. RTO ❍ C. MTTR ❍ D. MTTF

the Answer: A. MTBF The MTBF (Mean Time Between Failures) is a prediction of how often a repairable system will fail. The incorrect answers: B. RTO RTO (Recovery Time Objectives) define a set of objectives needed to restore a particular service level. C. MTTR MTTR (Mean Time to Restore) is the amount of time it takes to repair a component. D. MTTF MTTF (Mean Time to Failure) is the expected lifetime of a non-repairable product or system.

A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO) ❍ A. Partition data ❍ B. Kernel statistics ❍ C. ROM data ❍ D. Temporary file systems ❍ E. Process table

the Answer: A. Partition data and D. Temporary file systems Both temporary file system data and partition data are part of the file storage subsystem. The incorrect answers: B. Kernel statistics Kernel statistics are stored in memory. C. ROM data ROM data is a type of memory storage. E. Process table The process table keeps track of system processes, and it stores this information in RAM.

A Linux administrator is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value? ❍ A. Verifies that the file was not corrupted during the file transfer ❍ B. Provides a key for decrypting the ISO after download ❍ C. Authenticates the site as an official ISO distribution site ❍ D. Confirms that the file does not contain any malware

the Answer: A. Verifies that the file was not corrupted during the file transfer The incorrect answers: B. Provides a key for decrypting the ISO after download ISO files containing public information are usually distributed without any encryption, and a hash value would not commonly be used as a decryption key. C. Authenticates the site as an official ISO distribution site Although it's important to download files from known good sites, providing a hash value on a site would not provide any information about the site's authentication. D. Confirms that the file does not contain any malware A hash value doesn't inherently provide any protection against malware.

Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance? ❍ A. Compare the production application to the sandbox ❍ B. Perform an integrity measurement ❍ C. Compare the production application to the previous version ❍ D. Perform QA testing on the application instance

the Answer: B. Perform an integrity measurement An integrity measurement is designed to check for the secure baseline of firewall settings, patch levels, operating system versions, and any other security components associated with the application. These secure baselines may vary between different application versions. A. Compare the production application to the sandbox A sandbox is commonly used as a development environment. Security baselines in a production environment can be quite different when compared to the code in a sandbox. C. Compare the production application to the previous version The newer version of an application may have very different security requirements than previous versions. D. Perform QA testing on the application instance QA (Quality Assurance) testing is commonly used for finding bugs and verifying application functionality. The primary task of QA is not generally associated with verifying security baselines.

Which part of the PC startup process verifies the digital signature of the OS kernel? ❍ A. Measured Boot ❍ B. Trusted Boot ❍ C. Secure Boot ❍ D. POST

the Answer: B. Trusted Boot The Trusted Boot portion of the startup process verifies the operating system kernel signature and starts the ELAM (Early Launch Anti-Malware) process The incorrect answers: A. Measured Boot Measured Boot occurs after the Trusted Boot process and verifies that nothing on the computer has been changed by malicious software or other processes. C. Secure Boot Secure Boot is a UEFI BIOS boot feature that checks the digital signature of the bootloader. The Trusted Boot process occurs after Secure Boot has completed. D. POST POST (Power-On Self-Test) is a hardware check performed prior to booting an operating system.

A security administrator needs to identify all computers on the company network infected with a specific malware variant. Which of the following would be the BEST way to identify these systems? ❍ A. Honeynet ❍ B. Data masking ❍ C. DNS sinkhole ❍ D. DLP

the Answer: C. DNS sinkhole A DNS (Domain Name System) sinkhole can be used to redirect and identify devices that may attempt to communicate with an external command and control (C2) server. The DNS sinkhole will resolve an internal IP address and can report on all devices that attempt to access the malicious domain. The incorrect answers: A. Honeynet A honeynet is a non-production network that has been specifically created to attract attackers. A honeynet is not commonly used to identify infected devices. B. Data masking Data masking provides a way to hide data by substitution, shuffling, encryption, and other methods. Data masking does not provide a method of identifying infected devices. D. DLP DLP (Data Loss Prevention) systems can identify and block private information from transferring between systems. DLP does not provide any direct method of identifying devices infected with malware.

An organization's content management system (CMS) currently labels files and documents as "Unclassified" and "Restricted." On a recent updated to the CMS, a new classification type of "PII" was added. Which of the following would be the MOST likely reason for this addition? ❍ A. Healthcare system integration ❍ B. Simplified categorization ❍ C. Expanded privacy compliance ❍ D. Decreased search time

the Answer: C. Expanded privacy compliance The labeling of PII (Personally Identifiable Information) is often associated with privacy and compliance concerns A. Healthcare system integration Healthcare data would most likely be labeled as PHI (Protected Health Information). Personal information isn't necessarily health-related. B. Simplified categorization Adding additional categories would not commonly be considered a simplification. D. Decreased search time Adding additional classifications would not necessarily provide any decreased search times

A member of the accounting team was out of the office for two weeks, and an important financial transfer was delayed until they returned. Which of the following would have prevented this delay? ❍ A. Split knowledge ❍ B. Least privilege ❍ C. Job rotation ❍ D. Dual control

the Answer: C. Job rotation Job rotation moves employees through different job roles as part of their normal work environment. This policy limits the potential for fraud and allows others to cover responsibilities if someone is out of the office. A. Split knowledge The use of split knowledge limits the information that any one person would know. In this example, having knowledge of part of the process would not have helped with processing the financial transfer. B. Least privilege Least privilege is a security policy that limits the rights and permissions of a user to only those tasks required for their job role. In this example, having properly configured privileges would not have provided any contingency for this delayed transaction. D. Dual control With dual control, two persons must be present to perform a business function. In this example, one of the employees is out of the office and dual control would not be possible

A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would be the MOST likely reason for this message? ❍ A. Brute force ❍ B. DoS ❍ C. On-path ❍ D. Disassociation

the Answer: C. On-path An on-path attack is often associated with a third-party who is actively intercepting network traffic. This entity in the middle would not be able to provide a valid SSL certificate for a third-party website, and this error would appear in the browser as a warning. The incorrect answers: A. Brute force A brute force attack is commonly associated with password hacks. Brute force attacks would not cause the certificate on a website to be invalid. B. DoS A DoS (Denial of Service) attack would prevent communication to a server and most likely provide a timeout error. This error is not related to a service availability issue. D. Disassociation Disassociation attacks are commonly associated with wireless networks, and they usually cause disconnects and lack of connectivity. The error message in this example does not appear to be associated with a network outage or disconnection.